[Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org

From: "sysadmin" (bugzilla.gnome.org) <bugzilla gnome org>
To: gnome-infrastructure gnome org
Subject: [Bug 599066] Create a specific check for the gnomeweb user from l10n.gnome.org
Date: Sat, 24 Aug 2013 12:44:41 +0000 (UTC)

https://bugzilla.gnome.org/show_bug.cgi?id=599066
  sysadmin | Git | unspecified

Andrea Veri <andrea.veri> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |andrea veri gmail com

--- Comment #40 from Andrea Veri <andrea veri gmail com> 2013-08-24 12:44:34 UTC ---
Here's how the final setup is looking like:

1. the translations user was added into LDAP and an SSH key pair was generated
for this user, the key is currently living in
/usr/local/www/gnomeweb/.ssh/translations_rsa on progress.gnome.org. The
translations user has its own switch on create-auth, and it's currently not
part of the gnomevcs group. The gnomeweb user has access to the file in rw, the
file is not group accessible.

2. create-auth is restricting access to the translations user making sure the
user itself can only reach git.gnome.org from boron.canonical.com, in addition
it can't get a pty allocated. More details at
https://git.gnome.org/browse/sysadmin-bin/tree/create-auth#n40. Thanks Jeff for
your past work on this.

3. Owen's hook has been committed to sysadmin-bin and enabled globally. The
hook will make sure that the only committable files are: PO/help files, with
the addition of the LINGUAS line on Makefile.am.

4. The only downside of the whole setup is the translations_rsa file being
handled by gnomeweb, which is the user that is currently running the
damned-lies service. I did ask Claude to properly implement a way to really use
the translations user for making the commit. 

I personally don't see any grave security issue in this, we do have a lot of
checks in place already and removing an offending key is a matter of a few
seconds in case an attacker will gain access to the gnomeweb user but having a
command that gets executed by an user != from gnomeweb itself would be indeed
nice, that way even if an attacker will gain access to the gnomeweb user by
hacking the damned-lies app, the ssh key won't be accessible at all given it
being chowned to the translations:translations user in 0600 mode.

-- 
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the QA contact of the bug.
You are watching the assignee of the bug.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]