--- Begin Message ---
- To: debian-release@lists.debian.org
- Cc: fusionforge-general@lists.fusionforge.org
- Subject: Re: [Fusionforge-general] Seeking pre-upload approval (was Re: MW 1.19 for wheezy)
- From: Thorsten Glaser <t.glaser@tarent.de>
- Date: Mon, 3 Sep 2012 13:19:23 +0200 (CEST)
- Message-id: <[🔎] alpine.DEB.2.02.1209031318090.19183@tglase.lan.tarent.de>
- In-reply-to: <alpine.DEB.2.02.1208301130351.22189@tglase.lan.tarent.de>
- References: <4FB53331.4060400@everybody.org> <4FBBA953.8020203@everybody.org> <alpine.DEB.2.02.1205221723060.29998@tglase.lan.tarent.de> <4FBBB712.6040601@everybody.org> <alpine.DEB.2.02.1205221806090.29998@tglase.lan.tarent.de> <4FBBC358.6070607@everybody.org> <alpine.DEB.2.02.1205221903510.29998@tglase.lan.tarent.de> <17bfb82c02af17db0b6b0b907875484f@hogwarts.powdarrmonkey.net> <alpine.DEB.2.02.1205301511550.23759@tglase.lan.tarent.de> <443f47539d979eb3e60c983b0bee5d87@hogwarts.powdarrmonkey.net> <alpine.DEB.2.02.1206011343560.8360@tglase.lan.tarent.de> <6911303933361f30ae2f4f3356a18809@hogwarts.powdarrmonkey.net> <Pine.BSM.4.64L.1206061658380.16816@herc.mirbsd.org> <alpine.DEB.2.02.1208301130351.22189@tglase.lan.tarent.de>
On Thu, 30 Aug 2012, Thorsten Glaser wrote:
> I’m hereby seeking pre-upload approval for new uploads (not new
[…]
> • fusionforge_5.2~rc1wheezy1.debdiff
The diff attached will also need to be added to this upload
for security reasons. I found out today that deleted users
can still log in via SSH using their old pre-deletion password
(not with SSH pubkey auth, though, and they cannot do “much”,
but it’s still a security risk).
bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke
Index: debian/changelog
===================================================================
--- debian/changelog (revision 16198)
+++ debian/changelog (working copy)
@@ -11,8 +11,9 @@
* Check image upload is enabled before trying to do so (Closes: #679521)
* Unbreak and silence the MediaWiki nightly dump cronjob (Closes: #680165)
* Remove minified ECMAscript and binary *.jar from the source
+ * SECURITY: Upon user deletion, remove their Unix account as well
- -- Thorsten Glaser <tg@mirbsd.de> Thu, 30 Aug 2012 11:06:02 +0200
+ -- Thorsten Glaser <tg@mirbsd.de> Mon, 03 Sep 2012 11:55:51 +0200
fusionforge (5.2~rc1-5) unstable; urgency=low
Index: db/20120903-no-unix-account-for-deleted-users.sql
===================================================================
--- db/20120903-no-unix-account-for-deleted-users.sql (revision 0)
+++ db/20120903-no-unix-account-for-deleted-users.sql (revision 0)
@@ -0,0 +1 @@
+UPDATE users SET unix_status='D' WHERE status!='A';
Index: common/include/User.class.php
===================================================================
--- common/include/User.class.php (revision 16198)
+++ common/include/User.class.php (working copy)
@@ -502,6 +502,7 @@
plugin_hook("user_delete", $hook_params);
$this->setStatus('D');
+ $this->setUnixStatus('D');
db_commit();
}
return true;
_______________________________________________
Fusionforge-general mailing list
Fusionforge-general@lists.fusionforge.org
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
--- End Message ---