removing login rights from non-overseers

removing login rights from non-overseers

[Christopher Faylor]

Just a heads up that I plan on nuking the login rights of people that I
find who are obviously not "overseers".  cvs access will still be
allowed, of course.

cgf

Re: removing login rights from non-overseers

[Jonathan Larmour]

Christopher Faylor wrote:
> Just a heads up that I plan on nuking the login rights of people that I
> find who are obviously not "overseers".  cvs access will still be
> allowed, of course.

Remember there's currently no other way than logging in to change the FTP 
areas.

Jifl
-- 
eCosCentric    http://www.eCosCentric.com/    The eCos and RedBoot experts
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine

Re: removing login rights from non-overseers

[Christopher Faylor]

On Wed, Jun 09, 2004 at 04:14:38AM +0100, Jonathan Larmour wrote:
>Christopher Faylor wrote:
>>Just a heads up that I plan on nuking the login rights of people that I
>>find who are obviously not "overseers".  cvs access will still be
>>allowed, of course.
>
>Remember there's currently no other way than logging in to change the FTP 
>areas.

I have set up CVS mirroring to the FTP areas recently.  I can do that if
it's desired.  I don't know how well it works, though.  I have a vague
feeling that someone would have done this already if it was a good
solution.

I don't mind a small number of responsible people (like you) having
login access.  About 23% of the 526 accounts on sourceware have login
access, though.  That's too high.  I just went through the list and
found a bunch of people that I knew had moved on, too.  I thought I'd
done that not too long ago but I guess it should be a periodic sweep.

Can you send me a list of who in the old eCos project should still have
direct logins, Jonathan?

GCC seems to be a big offender of general login access.  I think we
probably should be cutting back there, too.  Is there any reason for
anyone in the gcc project to have general login access anymore?

cgf

Re: removing login rights from non-overseers

[Gerald Pfeifer]

On Tue, 8 Jun 2004, Christopher Faylor wrote:
> GCC seems to be a big offender of general login access.  I think we
> probably should be cutting back there, too.  Is there any reason for
> anyone in the gcc project to have general login access anymore?

I believe it makes sense for people like Joseph Myers, and overseers
in general (though this group is not defined in a formal way).

We also do have the gccadmin account, but in general I prefer to do
simple checks and in fact everything possible using my personal account,
and only use the role accounts when necessary.

Gerald
-- 
Gerald Pfeifer (Jerry)   gerald@pfeifer.com   http://www.pfeifer.com/gerald/

Re: removing login rights from non-overseers

[Ian Lance Taylor]

Gerald Pfeifer <gerald@pfeifer.com> writes:

> We also do have the gccadmin account, but in general I prefer to do
> simple checks and in fact everything possible using my personal account,
> and only use the role accounts when necessary.

I tend to think it is best to do as little as possible using the role
account, and in fact I think it might not be such a bad idea to forbid
people from logging in as the role account.

Ian

Re: removing login rights from non-overseers

[Christopher Faylor]

On Thu, Jun 10, 2004 at 04:18:59PM -0400, Ian Lance Taylor wrote:
>Gerald Pfeifer <gerald@pfeifer.com> writes:
>>We also do have the gccadmin account, but in general I prefer to do
>>simple checks and in fact everything possible using my personal
>>account, and only use the role accounts when necessary.
>
>I tend to think it is best to do as little as possible using the role
>account, and in fact I think it might not be such a bad idea to forbid
>people from logging in as the role account.

I would agree, in general, with this philosophy but how would people be
able to make changes to the gccadmin stuff like cron jobs?

cgf

Re: removing login rights from non-overseers

[Ian Lance Taylor]

Christopher Faylor <me@cgf.cx> writes:

> >I tend to think it is best to do as little as possible using the role
> >account, and in fact I think it might not be such a bad idea to forbid
> >people from logging in as the role account.
> 
> I would agree, in general, with this philosophy but how would people be
> able to make changes to the gccadmin stuff like cron jobs?

sudo

Ian

Re: removing login rights from non-overseers

[Jonathan Larmour]

Christopher Faylor wrote:
> On Thu, Jun 10, 2004 at 04:18:59PM -0400, Ian Lance Taylor wrote:
> 
>>Gerald Pfeifer <gerald@pfeifer.com> writes:
>>
>>>We also do have the gccadmin account, but in general I prefer to do
>>>simple checks and in fact everything possible using my personal
>>>account, and only use the role accounts when necessary.
>>
>>I tend to think it is best to do as little as possible using the role
>>account, and in fact I think it might not be such a bad idea to forbid
>>people from logging in as the role account.
> 
> 
> I would agree, in general, with this philosophy but how would people be
> able to make changes to the gccadmin stuff like cron jobs?

<fx: butts in :-)>

Perhaps a cron job that does something like:

8 * * * * sh -c "sleep 15 ; cd cvs ; cvs -q up gccadmin.crontab ; crontab 
gccadmin.crontab" &

where the cvs directory contains a checkout where CVSROOT was set to /cvs/gcc

(I don't know if cron would have recursion problems, but the sleep and 
backgrounding should help avoid that theoretical problem).

If someone screws the crontab up there could be problems that require an 
overseers intervention, but that should be rare.

Jifl
-- 
eCosCentric    http://www.eCosCentric.com/    The eCos and RedBoot experts
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine

Re: removing login rights from non-overseers

[Gerald Pfeifer]

On Thu, 10 Jun 2004, Jonathan Larmour wrote:
> <fx: butts in :-)>
>
> Perhaps a cron job that does something like:
>
> 8 * * * * sh -c "sleep 15 ; cd cvs ; cvs -q up gccadmin.crontab ; crontab
> gccadmin.crontab" &
>
> where the cvs directory contains a checkout where CVSROOT was set to /cvs/gcc

If you do it fully automatically, anyone with CVS write access can
obtain gccadmin shell access on sourceware (and it might interfere
if someone, like me, is currently working on some snapshot-related
changes).

So far making this kind of update by hand hasn't been a problem, at
least on the GCC side (and as far as I can see).

Gerald

Re: removing login rights from non-overseers

[Christopher Faylor]

On Thu, Jun 10, 2004 at 04:42:59PM -0400, Ian Lance Taylor wrote:
>Christopher Faylor <me@cgf.cx> writes:
>>>I tend to think it is best to do as little as possible using the role
>>>account, and in fact I think it might not be such a bad idea to forbid
>>>people from logging in as the role account.
>>
>>I would agree, in general, with this philosophy but how would people be
>>able to make changes to the gccadmin stuff like cron jobs?
>
>sudo

There are 23 keys in the authorized keys file.  This is a sort -u of the
name part of the foo@bar last comment field:

CRT
bothner
davem
dje
gdr
ghazi
jason
jsm28
law
mitchell
pcg
pfeifer
pme
root
toon
tromey

All of these are easy enough to decipher except for CRT and root.
I don't remember; was it a steering committee decision to set up gccadmin
and give people access?  How would we go about instituting this change?

cgf

Re: removing login rights from non-overseers

[Jonathan Larmour]

Gerald Pfeifer wrote:
> On Thu, 10 Jun 2004, Jonathan Larmour wrote:
> 
>><fx: butts in :-)>
>>
>>Perhaps a cron job that does something like:
>>
>>8 * * * * sh -c "sleep 15 ; cd cvs ; cvs -q up gccadmin.crontab ; crontab
>>gccadmin.crontab" &
>>
>>where the cvs directory contains a checkout where CVSROOT was set to /cvs/gcc
> 
> 
> If you do it fully automatically, anyone with CVS write access can
> obtain gccadmin shell access on sourceware

Shrug... anything that involves having a gccadmin crontab which some people 
can edit, means those people have sort of shell access.

But you're right, it would help if there was CVSROOT=/cvs/gccadmin and 
suitably responsible people in a gccadmin group then :-). Or even 
CVSROOT=/home/gccadmin/cvsroot with people in the gccadmin group and 
appropriate perms. With the power of security through obscurity[1] it's 
unlikely a hacker would realise the gccadmin crontab is a way to run commands.

Sudo is a lot simpler but does mean many people still retain complete and 
interactive shell access. But it's true that either way a Bad Person can 
work out how to run arbitrary commands. The only way to stop that is with 
restricted shells/interpreters which is a slog. Although an alternative 
which may be helpful enough is if a chrooted environment for the gccadmin 
account was set up.

> (and it might interfere
> if someone, like me, is currently working on some snapshot-related
> changes).

CVS resolves conflicts better than a free-for-all.

Jifl
[1] Why does no-one ever complain that passwords are merely security 
through obscurity?
-- 
eCosCentric    http://www.eCosCentric.com/    The eCos and RedBoot experts
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine

Re: removing login rights from non-overseers

[Ian Lance Taylor]

Jonathan Larmour <jifl@eCosCentric.com> writes:

> Sudo is a lot simpler but does mean many people still retain complete
> and interactive shell access.

sudo permits restricting which commands can be executed.  I don't know
whether we can realistically use that, though.

Ian

Re: removing login rights from non-overseers

[Angela Marie Thomas]

> Jonathan Larmour <jifl@eCosCentric.com> writes:
> 
> > Sudo is a lot simpler but does mean many people still retain complete
> > and interactive shell access.
> 
> sudo permits restricting which commands can be executed.  I don't know
> whether we can realistically use that, though.
> 
> Ian

Would you set it up unpassworded for certain people for certain operations?
Not everyone does, or should, have a real password on the machine.

--Angela

Re: removing login rights from non-overseers

[Christopher Faylor]

On Thu, Jun 10, 2004 at 05:29:14PM -0400, Ian Lance Taylor wrote:
>Jonathan Larmour <jifl@eCosCentric.com> writes:
>> Sudo is a lot simpler but does mean many people still retain complete
>> and interactive shell access.
>
>sudo permits restricting which commands can be executed.  I don't know
>whether we can realistically use that, though.

As long as we set the group ownership correctly, it seems like the only
thing you'd need sudo for would be cron.

cgf

Re: removing login rights from non-overseers

[Joseph S. Myers]

On Thu, 10 Jun 2004, Christopher Faylor wrote:

> On Thu, Jun 10, 2004 at 05:29:14PM -0400, Ian Lance Taylor wrote:
> >Jonathan Larmour <jifl@eCosCentric.com> writes:
> >> Sudo is a lot simpler but does mean many people still retain complete
> >> and interactive shell access.
> >
> >sudo permits restricting which commands can be executed.  I don't know
> >whether we can realistically use that, though.
> 
> As long as we set the group ownership correctly, it seems like the only
> thing you'd need sudo for would be cron.

That would include such things as proper group permissions on gccadmin's
home directory (to update the snapshot date files, if running snapshots
manually) and on all of onlinedocs (similarly), with scripts setting
umasks so as to keep such permissions on new directories they create.  
I've just added group write permissions to those files and directories in
/var/www/gcc/htdocs/onlinedocs that were owned by gccadmin and didn't
already have them (many did) so this shouldn't be a problem now for
changes to existing files/directories if running update_web_docs manually
not as gccadmin; note that some files and directories, with and without
group write permission, are owned by other users than gccadmin (pme, bkoz
at least) - those directories without group write permission should
probably get it.

-- 
Joseph S. Myers
jsm@polyomino.org.uk

Re: removing login rights from non-overseers

[Christopher Faylor]

On Thu, Jun 10, 2004 at 03:08:49PM -0700, Angela Marie Thomas wrote:
>>Jonathan Larmour <jifl@eCosCentric.com> writes:
>>>Sudo is a lot simpler but does mean many people still retain complete
>>>and interactive shell access.
>>
>>sudo permits restricting which commands can be executed.  I don't know
>>whether we can realistically use that, though.
>
>Would you set it up unpassworded for certain people for certain
>operations?  Not everyone does, or should, have a real password on the
>machine.

I'd say yes that's the way to do it.  You've already authenticated by logging
in via ssh, just like now.  By requiring individual accounts, we'd at least
have an audit trail, unlike now.

cgf

Re: removing login rights from non-overseers

[Ian Lance Taylor]

Christopher Faylor <me@cgf.cx> writes:

> On Thu, Jun 10, 2004 at 03:08:49PM -0700, Angela Marie Thomas wrote:
> >>Jonathan Larmour <jifl@eCosCentric.com> writes:
> >>>Sudo is a lot simpler but does mean many people still retain complete
> >>>and interactive shell access.
> >>
> >>sudo permits restricting which commands can be executed.  I don't know
> >>whether we can realistically use that, though.
> >
> >Would you set it up unpassworded for certain people for certain
> >operations?  Not everyone does, or should, have a real password on the
> >machine.
> 
> I'd say yes that's the way to do it.  You've already authenticated by logging
> in via ssh, just like now.  By requiring individual accounts, we'd at least
> have an audit trail, unlike now.

Yes, exactly.

Ian

Re: removing login rights from non-overseers

[Gerald Pfeifer]

On Thu, 10 Jun 2004, Christopher Faylor wrote:
> There are 23 keys in the authorized keys file.  This is a sort -u of the
> name part of the foo@bar last comment field:
>
> CRT
> bothner
> davem
> dje
> gdr
> ghazi
> jason
> jsm28
> law
> mitchell
> pcg
> pfeifer
> pme
> root
> toon
> tromey
>
> All of these are easy enough to decipher except for CRT and root.
> I don't remember; was it a steering committee decision to set up gccadmin
> and give people access?  How would we go about instituting this change?

Yes, I believe at one point this was the plan, but I think I could ask
which people really should have to the gccadmin account.  Do you want
me to do that?

Gerald

Re: removing login rights from non-overseers

[Christopher Faylor]

On Fri, Jun 18, 2004 at 09:15:19AM +0200, Gerald Pfeifer wrote:
>On Thu, 10 Jun 2004, Christopher Faylor wrote:
>> There are 23 keys in the authorized keys file.  This is a sort -u of the
>> name part of the foo@bar last comment field:
>>
>> CRT
>> bothner
>> davem
>> dje
>> gdr
>> ghazi
>> jason
>> jsm28
>> law
>> mitchell
>> pcg
>> pfeifer
>> pme
>> root
>> toon
>> tromey
>>
>> All of these are easy enough to decipher except for CRT and root.
>> I don't remember; was it a steering committee decision to set up gccadmin
>> and give people access?  How would we go about instituting this change?
>
>Yes, I believe at one point this was the plan, but I think I could ask
>which people really should have to the gccadmin account.  Do you want
>me to do that?

In the interests of security, yes, please.

cgf

Re: removing login rights from non-overseers

[Gerald Pfeifer]

On Fri, 18 Jun 2004, Christopher Faylor wrote:
>> Yes, I believe at one point this was the plan, but I think I could ask
>> which people really should have to the gccadmin account.  Do you want
>> me to do that?
> In the interests of security, yes, please.

Done.  I hope you'll soon get "god ahead an remove me" requests.

Sorry for the delay!

Gerald

Re: removing login rights from non-overseers

[Christopher Faylor]

On Sun, Jul 04, 2004 at 11:52:17PM +0200, Gerald Pfeifer wrote:
>On Fri, 18 Jun 2004, Christopher Faylor wrote:
>>> Yes, I believe at one point this was the plan, but I think I could ask
>>> which people really should have to the gccadmin account.  Do you want
>>> me to do that?
>> In the interests of security, yes, please.
>
>Done.  I hope you'll soon get "god ahead an remove me" requests.
>
>Sorry for the delay!

Thanks, Gerald.

cgf