[SAC] Trac and Private tickets

Alan_Boudreault · September 2, 2010, 12:42pm

Hi,

During a few security tickets we worked on (MapServer), we created the tickets
to keep the trace of the differents issues and patches. We have been asked if
it would be possible to create private tickets rather than public. The reason
is simple.. since they are security issues, it would be better to only reveal
them since all the patches are done and the release ready.

I'm aware of a few "private plugins" for trac and I could take a look at them
and install it for our mapserver trac. Unfortunately, since the migration of
the servers, I think my sac account haven't been created.

regards,
Alan

--
Alan Boudreault
Mapgears
http://www.mapgears.com

Frank_Warmerdam · September 2, 2010, 2:31pm

Alan Boudreault wrote:

Hi,

During a few security tickets we worked on (MapServer), we created the tickets to keep the trace of the differents issues and patches. We have been asked if it would be possible to create private tickets rather than public. The reason is simple.. since they are security issues, it would be better to only reveal them since all the patches are done and the release ready.

I'm aware of a few "private plugins" for trac and I could take a look at them and install it for our mapserver trac. Unfortunately, since the migration of the servers, I think my sac account haven't been created.

Alan,

I observe that you are in the "sac" group:

https://www.osgeo.org/cgi-bin/auth/ldap_shell.py?group=sac

and so should be able to login to the Trac machine. You might need someone
to add sudo permissions. I'd suggest Chris or Howard do that since they
seem to be primarily responsible for the services on this VM and should
effectively ok the request.

I have also, from time to time, had a need for handling security related
issues and wished there was a way of restricting access to the corresponding
tickets for a while.

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Programmer for Rent

Alan_Boudreault · January 4, 2011, 4:26pm

Hi Sac members,

I installed a trac plugin to handle this privacy issue. The plugin is called
"securetickets" and can be found on http://trac-hacks.org. The initial
behavior of the plugin was to set all tickets private, then let the user
defines what are the public components. I modified this to fit osgeo needs.
Since everything is public by default, we'll set manually the private
components and everything else will be public. Here's how to use the plugin:

1- Enable the plugin in trac.ini:
[components]
securetickets.* = enabled

2- Modify the permission_policies in trac.ini:
permission_policies = SecureTicketsPolicy, DefaultPermissionPolicy, ...

3- Define private components in trac.ini:
[securetickets]
private_components = Vulnerabilities, Component2, ...

To allow a user or a group to view the private tickets, you'll have to add him
the permission SECURE_TICKET_VIEW

regards,
Alan

On September 2, 2010 10:31:32 am Frank Warmerdam wrote:

Alan Boudreault wrote:
> Hi,
>
> During a few security tickets we worked on (MapServer), we created the
> tickets to keep the trace of the differents issues and patches. We have
> been asked if it would be possible to create private tickets rather than
> public. The reason is simple.. since they are security issues, it would
> be better to only reveal them since all the patches are done and the
> release ready.
>
> I'm aware of a few "private plugins" for trac and I could take a look at
> them and install it for our mapserver trac. Unfortunately, since the
> migration of the servers, I think my sac account haven't been created.

Alan,

I observe that you are in the "sac" group:

https://www.osgeo.org/cgi-bin/auth/ldap_shell.py?group=sac

and so should be able to login to the Trac machine. You might need someone
to add sudo permissions. I'd suggest Chris or Howard do that since they
seem to be primarily responsible for the services on this VM and should
effectively ok the request.

I have also, from time to time, had a need for handling security related
issues and wished there was a way of restricting access to the
corresponding tickets for a while.

Best regards,

--
Alan Boudreault
Mapgears
http://www.mapgears.com

Frank_Warmerdam · January 4, 2011, 4:46pm

On 11-01-04 11:26 AM, Alan Boudreault wrote:

Hi Sac members,

I installed a trac plugin to handle this privacy issue. The plugin is called
"securetickets" and can be found on http://trac-hacks.org. The initial
behavior of the plugin was to set all tickets private, then let the user
defines what are the public components. I modified this to fit osgeo needs.
Since everything is public by default, we'll set manually the private
components and everything else will be public. Here's how to use the plugin:

1- Enable the plugin in trac.ini:
[components]
securetickets.* = enabled

2- Modify the permission_policies in trac.ini:
permission_policies = SecureTicketsPolicy, DefaultPermissionPolicy, ...

3- Define private components in trac.ini:
[securetickets]
private_components = Vulnerabilities, Component2, ...

To allow a user or a group to view the private tickets, you'll have to add him
the permission SECURE_TICKET_VIEW

Alan,

Great work! I presume you will be setting up a security related component
for MapServer using this?

Could add the above information into:

http://wiki.osgeo.org/wiki/Trac_Instances

for future reference?

Thanks,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | Geospatial Programmer for Rent

Alan_Boudreault · January 4, 2011, 4:50pm

Yes Frank, I created the component "Vulnerabilities" for MapServer. I'll add
the instructions in the wiki as well.

Alan

On January 4, 2011 11:46:26 am Frank Warmerdam wrote:

On 11-01-04 11:26 AM, Alan Boudreault wrote:
> Hi Sac members,
>
> I installed a trac plugin to handle this privacy issue. The plugin is
> called "securetickets" and can be found on http://trac-hacks.org. The
> initial behavior of the plugin was to set all tickets private, then let
> the user defines what are the public components. I modified this to fit
> osgeo needs. Since everything is public by default, we'll set manually
> the private components and everything else will be public. Here's how to
> use the plugin:
>
> 1- Enable the plugin in trac.ini:
> [components]
> securetickets.* = enabled
>
> 2- Modify the permission_policies in trac.ini:
> permission_policies = SecureTicketsPolicy, DefaultPermissionPolicy, ...
>
> 3- Define private components in trac.ini:
> [securetickets]
> private_components = Vulnerabilities, Component2, ...
>
> To allow a user or a group to view the private tickets, you'll have to
> add him the permission SECURE_TICKET_VIEW

Alan,

Great work! I presume you will be setting up a security related component
for MapServer using this?

Could add the above information into:

http://wiki.osgeo.org/wiki/Trac_Instances

for future reference?

Thanks,

--
Alan Boudreault
Mapgears
http://www.mapgears.com