Security incident on Fedora infrastructure on 23 Jan 2011
Till Maas
opensource at till.name
Tue Jan 25 21:50:48 UTC 2011
On Tue, Jan 25, 2011 at 10:14:23AM +1000, Jared K. Smith wrote:
> The account in question was not a member of any sysadmin or Release Engineering
> groups. The following is a complete list of privileges on the account:
> * SSH to fedorapeople.org (user permissions are very limited on this machine).
> * Push access to packages in the Fedora SCM.
> * Ability to perform builds and make updates to Fedora packages.
Did he really not have write access to the Fedora wiki or the different
trac instances (wiki, ticket system) on fedorahosted? I am not sure how
it is handled, but he also might have had push access to the comps repo
on fedorahosted.
Additionally it would be nice to investigate whether the account was
used to access the test machine resources for package maintainers:
https://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainers
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110125/a06e74e8/attachment.bin
More information about the devel
mailing list