Deleted users still being able to log in via ssh to fusionforge installs - Was: Re: Seeking pre-upload approval (was Re: MW 1.19 for wheezy)

["Olivier Berger" <obergix@debian.org>]

Hi.

FWIW, I think that the problem identified by Thorsten on FusionForge
probably affects versions pre wheezy, hence my forwarding to the
security team.

This needs to be investigated, but I'm not really able to dedicate
myself to it at the moment.

Hope this helps.

Best regards,

--- Begin Message ---

• To: debian-release@lists.debian.org
• Cc: fusionforge-general@lists.fusionforge.org
• Subject: Re: [Fusionforge-general] Seeking pre-upload approval (was Re: MW 1.19 for wheezy)
• From: Thorsten Glaser <t.glaser@tarent.de>
• Date: Mon, 3 Sep 2012 13:19:23 +0200 (CEST)
• Message-id: <[🔎] alpine.DEB.2.02.1209031318090.19183@tglase.lan.tarent.de>
• In-reply-to: <alpine.DEB.2.02.1208301130351.22189@tglase.lan.tarent.de>
• References: <4FB53331.4060400@everybody.org> <4FBBA953.8020203@everybody.org> <alpine.DEB.2.02.1205221723060.29998@tglase.lan.tarent.de> <4FBBB712.6040601@everybody.org> <alpine.DEB.2.02.1205221806090.29998@tglase.lan.tarent.de> <4FBBC358.6070607@everybody.org> <alpine.DEB.2.02.1205221903510.29998@tglase.lan.tarent.de> <17bfb82c02af17db0b6b0b907875484f@hogwarts.powdarrmonkey.net> <alpine.DEB.2.02.1205301511550.23759@tglase.lan.tarent.de> <443f47539d979eb3e60c983b0bee5d87@hogwarts.powdarrmonkey.net> <alpine.DEB.2.02.1206011343560.8360@tglase.lan.tarent.de> <6911303933361f30ae2f4f3356a18809@hogwarts.powdarrmonkey.net> <Pine.BSM.4.64L.1206061658380.16816@herc.mirbsd.org> <alpine.DEB.2.02.1208301130351.22189@tglase.lan.tarent.de>

On Thu, 30 Aug 2012, Thorsten Glaser wrote:

> I’m hereby seeking pre-upload approval for new uploads (not new
[…]
> • fusionforge_5.2~rc1wheezy1.debdiff

The diff attached will also need to be added to this upload
for security reasons. I found out today that deleted users
can still log in via SSH using their old pre-deletion password
(not with SSH pubkey auth, though, and they cannot do “much”,
but it’s still a security risk).

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke

Index: debian/changelog
===================================================================
--- debian/changelog	(revision 16198)
+++ debian/changelog	(working copy)
@@ -11,8 +11,9 @@
   * Check image upload is enabled before trying to do so (Closes: #679521)
   * Unbreak and silence the MediaWiki nightly dump cronjob (Closes: #680165)
   * Remove minified ECMAscript and binary *.jar from the source
+  * SECURITY: Upon user deletion, remove their Unix account as well
 
- -- Thorsten Glaser <tg@mirbsd.de>  Thu, 30 Aug 2012 11:06:02 +0200
+ -- Thorsten Glaser <tg@mirbsd.de>  Mon, 03 Sep 2012 11:55:51 +0200
 
 fusionforge (5.2~rc1-5) unstable; urgency=low
 
Index: db/20120903-no-unix-account-for-deleted-users.sql
===================================================================
--- db/20120903-no-unix-account-for-deleted-users.sql	(revision 0)
+++ db/20120903-no-unix-account-for-deleted-users.sql	(revision 0)
@@ -0,0 +1 @@
+UPDATE users SET unix_status='D' WHERE status!='A';
Index: common/include/User.class.php
===================================================================
--- common/include/User.class.php	(revision 16198)
+++ common/include/User.class.php	(working copy)
@@ -502,6 +502,7 @@
 			plugin_hook("user_delete", $hook_params);
 
 			$this->setStatus('D');
+			$this->setUnixStatus('D');
 			db_commit();
 		}
 		return true;

_______________________________________________
Fusionforge-general mailing list
Fusionforge-general@lists.fusionforge.org
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general

--- End Message ---

-- 
Olivier BERGER 
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingenieur Recherche - Dept INF
Institut Mines-Telecom, Telecom SudParis, Evry (France)