Securing our transifex instance
Damian Myerscough
damian.myerscough at gmail.com
Wed Aug 29 10:22:15 UTC 2007
Hi Dimitris,
I'll have a mess around with that webpage and see if I can break
anything ;) also you might
want to run a nessus scan against it as that has a good chance of
picking up mis-configurations.
On 29/08/2007, Dimitris Glezos <dimitris at glezos.com> wrote:
>
> Hi all.
>
> It's time to add some non-localhost repos to our transifex instance, so
> some advices on the security front would be greatly appreciated.
>
> We're doing everything over SSH, with encrypted keys. Before starting
> the TG app, tha admin needs to run ssh-agent and ssh-add. The goal would
> be to have a different service actually handling the keys and the
> commits, but that would have to wait for someone to submit the patchset.
>
> With each repository (host) having its own key pair, `~/.ssh/config`
> right now looks like this:
>
> Host localhost
> User transifex-testuser
> IdentityFile ~/.ssh/id_dsa
>
> #Host cvs.fedoraproject.org
> # User transifex
> # IdentityFile ~/.ssh/id_dsa-cvsfpo
>
> Host repo.or.cz
> User yumex-trans
> IdentityFile ~/.ssh/id_dsa-yumex
>
> Host *
> ForwardX11 no
> ForwardAgent no
> RhostsAuthentication no
> RhostsRSAAuthentication no
> PasswordAuthentication no
> StrictHostKeyChecking yes
> BatchMode yes
> CheckHostIP yes
>
> On the web front, I tried my best to validate properly any input/output
> from/to the user. Since transifex accepts user input, writes files on
> our server, runs OS commands on the server, uses SSH keys to communicate
> with other machines and writes to disks across the Internet, we better
> make sure everything is OK before launching.
>
> It would be great if some of you python hackers take a look at the code,
> or anyone with the hobby of defacing websites run any injection/XSS-foo
> on our instance, in order to identify and any additional checks or
> reveal any mistakes I made (which I'm sure I did since it's my first big
> python and TG app).
>
> Our test instance dwells at
>
> http://publictest5.fedora.redhat.com/submit/
>
> Short instructions to get the code and install a local instance to play
> around freely and with less lag can be found at:
>
> https://hosted.fedoraproject.org/projects/transifex/browser/INSTALL
>
> Bugs, reports, suggestions:
>
> https://hosted.fedoraproject.org/projects/transifex/newticket
>
>
> Thanks.
>
> -d
>
>
>
> --
> Dimitris Glezos
> Jabber ID: glezos at jabber.org, GPG: 0xA5A04C3B
> http://dimitris.glezos.com/
>
>
> "He who gives up functionality for ease of use
> loses both and deserves neither." (Anonymous)
> --
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>
--
Regards,
Damian
More information about the infrastructure
mailing list