Security incident on Fedora infrastructure on 23 Jan 2011
Ricky Zhou
ricky at fedoraproject.org
Tue Jan 25 22:10:20 UTC 2011
On 2011-01-25 10:50:48 PM, Till Maas wrote:
> Did he really not have write access to the Fedora wiki or the different
> trac instances (wiki, ticket system) on fedorahosted? I am not sure how
> it is handled, but he also might have had push access to the comps repo
> on fedorahosted.
Sorry, these are omissions on our part. All packagers have edit
access to the Fedora wiki, push access to comps on fedorahosted, and all
Fedora Accounts are able to login to fedorahosted trac instances (with
no special privileges by default).
We found no unverifed Fedora wiki edits or pushes to comps from the
account in question.
> Additionally it would be nice to investigate whether the account was
> used to access the test machine resources for package maintainers:
> https://fedoraproject.org/wiki/Test_Machine_Resources_For_Package_Maintainers
Good point. We don't run those machines, and all packagers have sudo
there , so Fedora packagers should consider it unsafe to forward their
SSH agent or enter any sensitive information on those machines. We'll
get in touch with Kevin about checking those machines though.
Thanks,
Ricky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20110125/0f23f0ec/attachment.bin
More information about the devel
mailing list