[mirror-admin] MirrorManager ACL is useless

Tue Nov 8 02:54:28 EST 2011

On Mon, Nov 07, 2011 at 08:59:57PM +0100, Jan Kasprzak wrote:
> Matt Domsch wrote:
> : On Mon, Nov 7, 2011 at 1:37 PM, Jan Kasprzak <kas at fi.muni.cz> wrote:
> : > has anybody actually looked at the mirrormanager ACL file
> : > at https://admin.fedoraproject.org/mirrormanager/rsync_acl ?
> : > I think it is pretty unusable as a list of Tier 2 mirrors
> : > which can be allowed to access the pre-bitflip content.
> : > It contains whatever the mirror owners decide to put into
> : > mirrormanager: I can probably add something like
> : >
> : > \n[hiddenmodule]\npath=/\nuid=root\ngid=root\nread only=no\n
> : >
> : > there and get the full access to the whole file system of those
> : > mirrors who are "brave enough" to include this list in their rsyncd.conf.
> : > The input is not sanitized in any way. It contains empty lines,
> : > several rsync:// urls, several /24 prefixes, a /15 prefix,
> : > and two /8 prefixes.
> : > 
> : > Some time ago I wanted to use it for my pre-bitflip data module,
> : > but after looking at it I have decided to maintain the list of
> : > downstream Tier-2 mirrors for my site manually.
> : 
> : This is all true.  It simply passes through what any mirror admin may
> : wish to put there, and anyone with a FAS account can create a mirror
> : entry in MM.  It certainly needs to be sanitized before use, but as I
> : haven't spent any time thinking about what a sanitized list there
> : would look like, and it wasn't really being used, it's been a low
> : priority thought process (at best).

I think it should at least be sanitized to be either an ip/network or
a resolvable hostname at the time of data entry. Yenya's hiddenmodule
example shows that it can lead to serious issues if the list is used
(although I think newlines are not that easy to inject).

> 	OK. Personally, I have no problem with that. I just wanted it
> to be stated explicitly, as from time to time I see posts containing the
> "I use the ACL from MirrorManager" statement on this list (in fact,
> wgetting the list and including it in rsyncd.conf has been recommended
> here even today).

That was me, and I stand by it! :)

The fact that it is currently unsanitized and indeed needs at the very
least a security audit if people are supposed to use it for their
rsyncd setup shouldn't mean that we should ignore it.

Actually if the list is not fixed many mirror admins like myself and
others before me that suggested using it will run into possible
security issues. So if we decide to not fix it we should ask for
removing it to avoid its usage.

Maybe the list can be pruned and affected mirror admins can be asked
to reenter their acl hosts/networks. We should think what we would
like to see in there and help with patching mirrormanager. The service
that a safe list would provide is quite high - every half year we have
the private and public chasing of higher tiers by several mirror
admins and a delay in deploying the pre-bitflip contents. A
standardization of procedures would greatly help getting the content
faster to the mirrors.

Let's think what we should allow, my 0.02:

o IPv4/IPv6 addresses and networks up to a certain size
o FQDNs that resolve at data entry time

The network size is IMHO not really a grave security issue, at most a
rogue mirror admin could inject a too large network that effectively
forces the mirrors to leak. But the same rogue admin has access to the
pre-bitflip contents by definition and can leak it anyway he desires
(of course forcing the whole mirror infrastructure to assist in doing
so isn't great either). I think a maximum network size would make
everyone happy - there are not that many mirror clusters that would
require a network size larger than 254 nodes for example.

A more conservative and labourous approach would be to have these
entries blessed by some mirror master admin. Just like the current
help cries are blessed by individual mirror admins.

Anyway just my thoughts on automating more on the mirroring front.

> -Yenya
-- 
Axel.Thimm at ATrpms.net

--