Securing our transifex instance

Damian Myerscough damian.myerscough at gmail.com
Wed Aug 29 10:22:15 UTC 2007 

Hi Dimitris,

I'll have a mess around with that webpage and see if I can break
anything ;) also you might
want to run a nessus scan against it as that has a good chance of
picking up mis-configurations.

On 29/08/2007, Dimitris Glezos <dimitris at glezos.com> wrote:
>
> Hi all.
>
> It's time to add some non-localhost repos to our transifex instance, so
> some advices on the security front would be greatly appreciated.
>
> We're doing everything over SSH, with encrypted keys. Before starting
> the TG app, tha admin needs to run ssh-agent and ssh-add. The goal would
> be to have a different service actually handling the keys and the
> commits, but that would have to wait for someone to submit the patchset.
>
> With each repository (host) having its own key pair, `~/.ssh/config`
> right now looks like this:
>
>         Host localhost
>          User transifex-testuser
>          IdentityFile ~/.ssh/id_dsa
>
>         #Host cvs.fedoraproject.org
>         # User transifex
>         # IdentityFile ~/.ssh/id_dsa-cvsfpo
>
>         Host repo.or.cz
>          User yumex-trans
>          IdentityFile ~/.ssh/id_dsa-yumex
>
>         Host *
>          ForwardX11 no
>          ForwardAgent no
>          RhostsAuthentication no
>          RhostsRSAAuthentication no
>          PasswordAuthentication no
>          StrictHostKeyChecking yes
>          BatchMode yes
>          CheckHostIP yes
>
> On the web front, I tried my best to validate properly any input/output
> from/to the user. Since transifex accepts user input, writes files on
> our server, runs OS commands on the server, uses SSH keys to communicate
> with other machines and writes to disks across the Internet, we better
> make sure everything is OK before launching.
>
> It would be great if some of you python hackers take a look at the code,
> or anyone with the hobby of defacing websites run any injection/XSS-foo
> on our instance, in order to identify and any additional checks or
> reveal any mistakes I made (which I'm sure I did since it's my first big
> python and TG app).
>
> Our test instance dwells at
>
>   http://publictest5.fedora.redhat.com/submit/
>
> Short instructions to get the code and install a local instance to play
> around freely and with less lag can be found at:
>
>   https://hosted.fedoraproject.org/projects/transifex/browser/INSTALL
>
> Bugs, reports, suggestions:
>
>   https://hosted.fedoraproject.org/projects/transifex/newticket
>
>
> Thanks.
>
> -d
>
>
>
> --
> Dimitris Glezos
> Jabber ID: glezos at jabber.org, GPG: 0xA5A04C3B
> http://dimitris.glezos.com/
>
>
> "He who gives up functionality for ease of use
> loses both and deserves neither." (Anonymous)
> --
>
> _______________________________________________
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>


-- 
Regards,
  Damian

More information about the infrastructure mailing list