#346: MapGuide download permissions too open
-------------------+--------------------------------------------------------
Reporter: jbirch | Owner: sac@lists.osgeo.org
Type: task | Status: new
Priority: normal | Component: SAC
Keywords: |
-------------------+--------------------------------------------------------
Currently, the mapguide download folder is writable by any user in the
users group.
Could you please create a "mapguide" group so that we can better control
write access to this directory structure?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/346>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#346: MapGuide download permissions too open
----------------------+-----------------------------------------------------
Reporter: jbirch | Owner: sac@lists.osgeo.org
Type: task | Status: closed
Priority: normal | Component: SAC
Resolution: wontfix | Keywords:
----------------------+-----------------------------------------------------
Changes (by warmerdam):
* status: new => closed
* resolution: => wontfix
Comment:
Jason,
Currently there should be several folks with accounts on upload.osgeo.org
who can use sudo to create new groups as required.
Note that essentially all users on this system have sudo access to
restrictive permissions will be at best a clue to others that they should
not be messing in this directory. It won't actually prevent access. So
perhaps it is sufficient to keep an occasional eye on things?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/346#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#346: MapGuide upload permissions too open
----------------------+-----------------------------------------------------
Reporter: jbirch | Owner: sac@lists.osgeo.org
Type: task | Status: closed
Priority: normal | Component: SAC
Resolution: wontfix | Keywords:
----------------------+-----------------------------------------------------
Changes (by jbirch):
* summary: MapGuide download permissions too open => MapGuide upload
permissions too open
Comment:
My main concern was that if an account got compromised (which is a
reasonable possibility since we aren't requiring SSL for all LDAP-based
services, such as Trac logins) then the MapGuide downloads could be
compromised. With most accounts on that server having wheel, I guess the
initial request is pointless 
I'm not sure how we could keep an eye on things; is there some kind of
change log for files on that share? I think Howard suggested using SVN to
store MD5 strings of the files. That's not a bad idea at all. I don't
think that the MapGuide Drupal site is under LDAP yet, so continuing to
post the md5 sums on a web page there is probably enough isolation still.
I was thinking about some kind of automated process to check the files
against md5 sums in SVN, but to be efficient that process would have to
reside on the same server, so it's not really much additional protection.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/346#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#346: MapGuide upload permissions too open
----------------------+-----------------------------------------------------
Reporter: jbirch | Owner: sac@lists.osgeo.org
Type: task | Status: closed
Priority: normal | Component: SAC
Resolution: wontfix | Keywords:
----------------------+-----------------------------------------------------
Comment (by warmerdam):
Jason,
The download server offers rsync downloads. You might want to setup a
server on which the files are rsync'ed and checked. Currently the files
are already rsynced to osgeo2, so if you wanted
to setup an md5 checksum tester, that might be a good place.
Alternatively, we could go back to using local accounts instead of LDAP
accounts for access to the telascience blades, and reduce the risk of a
compromise due to LDAP account breakage.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/346#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.