[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UMCE Linux Meeting October 13, 2004



UMCE Linux Meeting
October 13, 2004
Moderator: Albert
Note Taker: Patrick
Attending: Patrick, Wes, Willie, Tony, Kevin, Sean, Albert, Bill, Martin, Liam, Andrew I, Andrew M, Marcus, Jane


Next Meeting: October 27
Martin will Moderate
Kevin will take notes

10 announcements ( everyone )
albert: gpcc linux is up and running and he wants feedback.
albert: jason sonnenschein is no longer with us.
Kevin: Needs reiserfs in kernel and will build it into a new default unless someone complains
Liam needs a machine for blog testing
Patrick offered xserve
All staff meeting tomorrow outdoors in the rain with barnyard animals
Andrew I: Interesting problem on loginglinux
ssh slows down on non linux copies
Deploy this spring
Andrew I: rolling out DHCP for campus throught hostmaster
Andrew I: rolling out third party registration through hostmaster


5  sites linux is starting soon (Andrew M/Albert)
    Loadsets on DI boxes
    deploying 4 machines
    pam logout scripts are not running
    ready to go on angell pilot
    Albert has OpenOffice and Java built
    includes gaim, firefox, etc.  mostly kde
    working on stats apps
    kmail works with Kerberos, working on evolution and balsa
    looking to replace solaris "bread" boxes
    Kevin: What does it mean when you have "Java Built?"
    Albert: From source, including ant
    Kevin: Would use JDK, ant, and friends

10 suid and guid, being able to set permissions without forking
      binaries(Albert)
    Security audit suggested that we remove suid and sgid bits
    Marcus suggested that we mount on a volume with no suid and sgid
    sendmail could be built with privilege separation

        /bin/mount
        /bin/ping
        /bin/su
        /bin/umount
        /sbin/unix_chkpwd
        /usr/bin/chsh
        /usr/bin/crontab
        /usr/bin/gpasswd
        /usr/bin/chage
        /usr/bin/procmail
        /usr/bin/chfn
        /usr/bin/lppasswd
        /usr/bin/passwd
        /usr/bin/newgrp
        /usr/bin/pt_chown
        /usr/bin/at
        /usr/bin/expiry
        /usr/libexec/ssh-keysign
DROP        /usr/local/krb5/bin/ksu
DROP        /usr/local/krb5/bin/v4rcp
        /usr/local/kde/bin/fileshareset
        /usr/local/kde/bin/kcheckpass
        /usr/local/kde/bin/kgrantpty
        /usr/local/kde/bin/kpac_dhcp_helper
DROP        /usr/local/mit-k5-1.3.4/bin/ksu
DROP        /usr/local/mit-k5-1.3.4/bin/v4rcp
        /usr/sbin/ssh-keysign
        /usr/sbin/mtr
        /usr/sbin/rscsi
        /usr/sbin/sendmail
        /usr/sbin/traceroute
        /usr/X11R6/bin/XFree86
        /usr/X11R6/bin/xterm

According Adam Herscher, Chris Wing over at CAEN (wingc@xxxxxxxxx) has said they've removed the suid bit from all but the following binaries on their linux login systems without problem:

            /usr/bin/newgrp
            /bin/su
            /bin/ping
            /sbin/unix_chkpwd	[ part of PAM, this checks shadow
                        passwords for non-root apps. It could
                        probably be disabled since we use
                        Kerberos ]

We should probably do the same. Otherwise, security vulnerabilities in individual packages become root exploits.

Same goes for setgid binaries:

        /usr/bin/write
        /usr/bin/procmail
        /usr/bin/lockfile
        /usr/local/kde/bin/kdesud
        /usr/local/nmh/bin/inc

        Proposed: drop all bit but su and see who screams
            Concern: procmail/sendmail -> only root can send mail
            Testing: Use overload
            Update build notes to indicate removal of bits
            ( should ra.sh warn on these? )

5 X11 and other redundant transcripts (Albert)
Marcus pointed out there are multiple X11's
( His doesn't have man pages )
( Sites' doesn't have build notes )
Sites is looking at X.org amorously and will publish notes
Marcus would like to look at notes - concerned options will not work for him
All: look at what is redundant and eliminate overlap; check in build notes


5  Task Management Software ( gelle )
    Tabled
        Jane has looked at footprints
        GPCC and IFS is going to test and report back

10 iptable subgroup status ( kevin, sean, & jane )
sean and clunis have locked themselves out of test machines; tip is the iptables user's friend
code works, sean added port redirection
jane wrote an rc shell script thingy
the subgroup will meet again


5 CVS ( clunis )
Not only has Kevin done nothing on this, but he's forgotten which machine he's supposed to be doing it on and what he volunteered to do. He promises to do something but would like to know what it is. (Talk to Katarina, Martin?)


5  LSA update ( mcneal )
    they haven't touched the machine since it was given to them

kpachla@xxxxxxxxx:
I won't be able to make it to today's meeting, but
wanted to touch base with you for sake of the "LSA
update" part of the agenda. We've been having some problems
with the server we loaded. When we shut it down and moved it
into the rack, it didn't fully re-boot. Since it was late afternoon
the day before start of a vacation, I didn't really troubleshoot it
at the time, and haven't looked into it since. I'll take another look at
it before the end of the week and hopefully have more to report in time
for the next meeting. Sorry there's so little. -Karen


5  new base transcript - where are we? ( sweda )
    everyone should be on new base - security fixes
    Marcus would like to reconvene base group
    proposed meeting week from today

10 Development Radmind Server ( mcneal )
    dependent on server cleanup
    sites needs this mirror

10 Transcript Cleaning ( mcneal )
    Needs to be automated
    shared is new location

5  New hardware for sixthday ( anyone )
    martin will check with Andrew I

5 What is a quorum? ( all )
Wes, Andrew I. and Kevin have talked about this extensively.
If we need ordering around, then one of them must be here.
Kevin, Wes, and Andrew meet on their own, and make the decisions without us that have to do with ordering people around, so that those things won't need to be brought to these meetings.


Marcus weighs in that the people present at the meeting are empowered to decide if they have enough representation to make a meeting. It's up to them. Others agree with this concept, and we decide to move on.

Postponed until next meeting, unless we have more time than I suspect:

10 Move to 2.6 kernel ( all )
10 Evaluating alternative boot loaders. grub, gujin, or others? (anyone)