Re: Nightmares and ciritval security issue with new LTSP
Hi,
> > But one major problem I found is that the new system of building the
> > image from the main server's root filesystem is prone to building
> > images that contain far too much – reaching from dhcpd to freeradius
> > and other services that should not be in the image, to a full copy of
> > the LDAP data directory, Kerberos database keys, the GOSa secret, and
> > everything else that should by all means not be shipped to random
> > netboot clients over the network.
>
> Most probably forgotten to exclude. There's a list of excludes
> (/etc/ltsp/image-local.excludes) prepended by a FIXME.
This file is empty, both on the upgraded and on the freshly installed
combined server.
> > I installed a fresh Debian Edu 11 combined server in a test
> > environment and can reproduce that issue, meaning that in my opinion,
> > Debian Edu 11 **must not be used with LTSP in a production
> > environment** without taking very much care to mitigate this issue.
>
> ATM I don't have a test environment. Feel free to fix the script after
> testing with an extended exclude list for the main server.
>
> That said, it would be best (for setups managed by professionals) to use
> separate LTSP servers anyway - like recommended in the manual:
> https://wiki.debian.org/DebianEdu/Documentation/Bullseye/Architecture#Services_running_on_the_main_server
Yes, that would be the desirable case. Nonetheless, using a combined
server should not expose security-relevant data and keys to the
public.
I will try my best to find out how to fix that.
In any case, should we warn users?
-nik
--
Dominik George (1. Vorstandsvorsitzender, pädagogischer Leiter)
Teckids e.V. — Digitale Freiheit mit Jugend und Bildung
https://www.teckids.org/
Reply to: