[HCS-D]office hours notes
gline at fas.harvard.edu
Mon Dec 6 23:59:33 EST 2004
As is now a weekly tradition (or something) here are some things that
happened at office hours tonight, and also some things that didn't but
that should get done sooner or later:
(editors note: this is a long email. Feel free to skim it :) There is a
summary at the very bottom in list form for the lazy among you...)
People who were present, to my memory: Greg Price, Steve Melendez, Matt
Fasman, Matt Gline, Ivan Krstic, Peter Zoogman, Yves Wang, Kartik, Mike
Hamburg, Nick Nozenblyum, and possibly others whose names for the moment
Things that were done:
1) pf was installed on HCS by Mike Hamburg. This involved recompiling
the kernel, which was done, and HCS was rebooted. At a glance it
did not appear that the firewall was running after the reboot; we're
investigating to see if this is the case or not. It'll be nice to have
pf installed because...
2) As previous emails to HCS-D have indicated, we've sorted out our hacker
problems, sort of. All our php code executes as www. It seems that the
most recent attacks have actually come from a vulnerability in phpBB2,
which a few student groups run. We had a handful of lengthy discussions
about this and how we want it to operate - we're open to input: if php
code continues to operate as www, it will be easy for us to notice when
things are wrong (as the user www will be executing funny looking scripts
and things like that). There are other reasons, however, that it would be
more convenient for users to run their own php scripts - for example, so
they can edit data files accessed by those php scripts. Speaking of which,
3) Steve is currently doing two things so far as I recall related to
this problem: 1) Finding suspect php code (though this is pretty much
done?) and letting users know that they're running bad code, and 2)
creating a list of canonical php scripts (e.g. phpBB, which happened to
be the broken one in this case) to recommend to our users. This way we
can also keep appraised of security updates to these scripts and tell
people running them to upgrade when vulnerabilities arise.
4) Matt F. and Greg worked a bit more on RT. The current problem at hand
is convincing apache that when browsers point to hcs.harvard.edu/rt/foo,
a certain script ought be called with foo passed in as an argument. rt
configuration includes instructions for doing this with mod_perl and
FastCGI, but we use neither of these. Anyone have any idea how to do
5) We discussed at some length the manager spam problem, which has been
exacerbated by the volumes of virus mail we've gotten lately. We have a
partial solution: manager is going to become systems. We're going to
update all the web sites to include images referencing the systems
address instead of mailto links with the manager address, and hopefully
keep systems at hcs off spammers lists. We'll do this migration fairly soon
- and we'll let anyone who has emailed manager in the past while know of
6) Amidst the security converations, Ivan is slowly convincing us all of
the values of Kernel ACL's, which as I understand it will allow us to
easily do things like assert that www can't execute any binaries apart
from the main system binaries, and so on. He feels this and other things
work much better in Debian and we ought to consider migratingg to Debian
in the near run. To see if this is feasible, we're going to try moving
lists over relatively soon, and see how that goes. If it goes well,
we'll move hcs as well. This will also give us a chance to look hard at
all of the various details of our infrastructure and clean things up a
bit. Ivan is in charge of leading the preparation for that change.
7) Also on a security note, there was some talk of writing scripts to
keep an eye on processes running as www and code present in /tmp. There
was also talk about paring down the cronjob daily run security emails so
that people will actually read them and notice when Bad Things happen.
9) This is a lie, it didn't actually get done, but we also need to talk
about disk space and the possibility of acquiring more of it - perhaps
in the form of a netapp filer, a proposal which a certain well
positioned alumni pointed out last week could be very much attainable :)
Comments are welcome on whether HCS ought to invest in something like
10) Ivan set up his Dell running Debian, with the intention of using
it to demonstrate the power of Debian and also so we can use it during
the lists migration.
Surely, lots more that I've forgotten which isn't any less important
also happened. There was pizza and soda, and it was on time...
Steve is gonna clean up the makelist.php script a bit (which has been a
smashing success since last week and made acctserv work much easier).
Some names were shuffled around in wheel and manager and things like
that. There was talk of elections in two weeks - we need to name an
Here's a list of things that got done, in shorthand:
1) PF Installed (operational? maybe)
2) systems mail alias created *** to replace manager soon ***
3) some faulty php code found and its owners notified.
4) discussions of security - kernel ACLs, etc.
5) RT progress. CGI question still remains.
6) *** We've resolved to install Debian on lists in the near future ***
7) discussions of php code security... should we move perl to mod_perl?
Here's a list of things that ought to get done soon:
1) newlist.hcs wrapper code to deal with spam bounce...
2) modify access to accept more than 10 student group logins
3) publicize twiki more
4) do to group-add.sh what was done to makelist - create a script
that'll read the email in mutt and make the group.
5) make makelist.php do more sanity checking. check against /etc/passwd,
among other things.
6) fix our backup system, really. This is important. I swear. We should
do it soon. Even if we get snapshot directories or a netapp or whatever.
7) clean up the logging system
8) clean up hcsa. Take some entries out of the procmail and dump some of
the archives we don't need anymore.
9) upgrade mailman (maybe this could coincide with migrating lists?)
10) inquire with frank steen about obtaining control over our own DNS.
This'd be cool.
11) Does anyone still think it might be neat to have a hardware firewall
on one of the sparcs?
12) ___________________________ (fill in the blank)
More information about the hcs-discuss