Closed
Bug 883690
Opened 11 years ago
Closed 11 years ago
Consider relaxing security checks in getcert.cgi for puppetagain certificate grabbing [for seamonkey]
Categories
(Infrastructure & Operations :: RelOps: Puppet, task)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 939543
People
(Reporter: Callek, Assigned: rail)
Details
So, in puppet320, we have getcert.cgi which is used by the puppetizing process to allow us to automatically generate and have puppet-signed certs for hosts. https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Puppetization_Process The getcert.cgi script has builtin security checks, for the following: * Host is within the 10.*.*.* range. * Host is in DNS (per what the machine sees) * Hosts DNS reverse maps to mozilla.com * Hosts IP falls within an array of regex's we provide in secrets The first 3 of the above blocks SeaMonkey from using this script for the following reasons: * SeaMonkey hosts are allocated public IP ranges (63.245.223.*) [though no public netflows] * SeaMonkey hosts must use Google DNS servers, and we don't expose DNS, for these IPs * due to no DNS, no mozilla.com DNS The IP regex is still doable/useable. ----- I don't even know if this is possible to do without DNS, but if it is would make setting up SeaMonkey machines easier... if its not I would love to figure out what I need to document to make it happen. First needinfo to dustin if this is even something we can both do technically and something he would be `willing` to support in puppetAgain even if we config in order to keep all moco sec walls here. If :dustin agrees with it, we'd then need to get opsec signoff before we can make it happen. ----- I won't be offended if this is a horrible idea, even for seamonkey and someone feels strong enough to wontfix
Flags: needinfo?(dustin)
|
||
Comment 1•11 years ago
|
||
The 10.0/8 check is redundant to the IP regexes, so that could be removed without issue. DNS is required for functionality, not just security. One option may be adding things to /etc/hosts on the puppetmaster. But your hosts are in global DNS, so I don't see why that's an issue. dustin@cerf ~ $ host sea-puppet.community.scl3.mozilla.com sea-puppet.community.scl3.mozilla.com has address 63.245.223.125 dustin@cerf ~ $ host 63.245.223.125 125.223.245.63.in-addr.arpa domain name pointer sea-puppet.community.scl3.mozilla.com. dustin@cerf ~ $ So yes, feel free to remove the 10.*.*.* check. The rest should stay. Please do that in a non-sec bug.
Flags: needinfo?(dustin)
|
||
Updated•11 years ago
|
Group: core-security → infra
|
||
Updated•11 years ago
|
Group: infra
Component: Server Operations: RelEng → RelOps: Puppet
Product: mozilla.org → Infrastructure & Operations
QA Contact: arich → dustin
|
|
||
Updated•11 years ago
|
Assignee: server-ops-releng → bugspam.Callek
|
|
||
Comment 2•11 years ago
|
||
Rail, while you're changing getcert.cgi, can you remove the hard-coded 10.* check? Easiest will be to just dupe this bug to wherever you make that change.
Assignee: bugspam.Callek → rail
|
Assignee | |
Comment 3•11 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] (I read my bugmail; don't needinfo me) from comment #2) > Rail, while you're changing getcert.cgi, can you remove the hard-coded 10.* > check? Easiest will be to just dupe this bug to wherever you make that > change. Done!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•