Closed
Bug 562737
Opened 14 years ago
Closed 14 years ago
Using sudo should also notify the bugzilla maintainer
Categories
(Bugzilla :: User Accounts, enhancement)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: reed, Assigned: reed)
Details
(Whiteboard: [wanted-bmo])
Attachments
(1 file)
|
2.77 KB,
patch
|
mkanat
:
review-
|
Details | Diff | Splinter Review |
Right now, when an admin in bz_sudoers uses sudo, the user being sudo'd receives an e-mail, but there isn't any type of notification sent to the maintainer. The maintainer should also receive a similar notification informing him/her of the sudo usage.
|
Assignee | |
Updated•14 years ago
|
Severity: normal → enhancement
|
|
Assignee | |
Updated•14 years ago
|
Attachment #442483 -
Flags: review?(LpSolit)
|
|
Assignee | |
Updated•14 years ago
|
Attachment #442483 -
Flags: review?(LpSolit) → review?(mkanat)
|
||
Comment 1•14 years ago
|
||
Please skip sending the e-mail if the sudoer ist the maintainer ;)
|
||
Comment 2•14 years ago
|
||
I disagree--I don't want sudo sending even more email. What's the problem that this is trying to solve?
|
|
Assignee | |
Comment 3•14 years ago
|
||
(In reply to comment #2) > I disagree--I don't want sudo sending even more email. What's the problem that > this is trying to solve? Lack of logging. Admins/maintainers don't have any notification that sudo has been used at all unless the person being sudo'd notifies the maintainer.
|
|
||
Comment 4•14 years ago
|
||
Okay. I think you should note it as an audit action in profiles_activity instead, then.
|
||
Comment 5•14 years ago
|
||
(In reply to comment #4) > Okay. I think you should note it as an audit action in profiles_activity > instead, then. Bug 562750 created for log audit. As for email, this should also happen and/or be a configuration option. Email is a better way to notify a maintainer.
|
|
||
Comment 6•14 years ago
|
||
Why do you want to notify the maintainer that somebody is using sudo?
|
|
Assignee | |
Comment 7•14 years ago
|
||
(In reply to comment #4) > Okay. I think you should note it as an audit action in profiles_activity > instead, then. That doesn't actually inform/notify anybody. I think that's a good *addition* besides this RFE, but I don't think it negates this RFE completely. Logging and notification are really two separate things.
|
|
Assignee | |
Comment 8•14 years ago
|
||
(In reply to comment #6) > Why do you want to notify the maintainer that somebody is using sudo? Because it could be a malicious use of sudo... Accountability is important in a well-maintained bugzilla instance.
|
|
||
Comment 9•14 years ago
|
||
Okay. And when has this actually happened? What would be the situation in which you would add somebody to bz_sudoers and then have a malicious usage?
|
||
Comment 10•14 years ago
|
||
Our security controls are designed to be proactive to identify malicious behavior before a successful compromise. Without logging controls such as this we have no way of knowing if an unauthorized user has found a flaw to perform such an attack.
|
|
||
Comment 11•14 years ago
|
||
If somebody has compromised bz_sudoers, you have literally seconds to stop them from doing something harmful. An email will not help, and instead will simply become spam for the vast majority of Bugzilla admins every time somebody uses sudo. Even if you did get the emails, it would probably go somewhere that would be ignored, because 99.999% of the time (if not 100% of the time), it would be a valid usage. I think the right solution here is to make sure that people cannot compromise bz_sudoers (which they cannot), and to have strong controls on accounts (which we have, starting in 3.6, pretty much).
|
|
||
Comment 12•14 years ago
|
||
(In reply to comment #11) > If somebody has compromised bz_sudoers, you have literally seconds to stop them > from doing something harmful. An email will not help, and instead will simply > become spam for the vast majority of Bugzilla admins every time somebody uses > sudo. Even if you did get the emails, it would probably go somewhere that would > be ignored, because 99.999% of the time (if not 100% of the time), it would be > a valid usage. > > I think the right solution here is to make sure that people cannot compromise > bz_sudoers (which they cannot), and to have strong controls on accounts (which > we have, starting in 3.6, pretty much). Agreed on the speed of an event but what is in place to track what really happened? There is still no accountability from what we understand. Malicious or not.
|
|
||
Comment 13•14 years ago
|
||
(In reply to comment #12) > Agreed on the speed of an event but what is in place to track what really > happened? There is still no accountability from what we understand. Malicious > or not. Yeah, no, that I agree with. I think that recording the even in the profiles_activity table (Bug 562750) is a better solution for that.
|
|
Assignee | |
Comment 14•14 years ago
|
||
(In reply to comment #13) > Yeah, no, that I agree with. I think that recording the even in the > profiles_activity table (Bug 562750) is a better solution for that. Again, that's logging, not notification. I want notification that something as powerful as sudo is being used.
|
|
||
Comment 15•14 years ago
|
||
(In reply to comment #14) > I want notification that something as powerful as sudo is being used. I understand that. But there hasn't been any justification stated here for spamming the admin with a notification that will be useless with an almost 100% guarantee. I'm only interested in handling actual security scenarios.
|
||
Comment 16•14 years ago
|
||
This came up because we recently had a questionable use of sudo on bugzilla.mozilla.org. We had it completely disabled outright, and an admin enabled it for himself and used it (for what turned out to be a benign purpose in the end, but was unnecessary and what he was trying to do could have easily been accomplished without needing to use it).
|
||
Comment 17•14 years ago
|
||
(In reply to comment #14) > Again, that's logging, not notification. I want notification that something as > powerful as sudo is being used. If you cannot trust your bz_sudoers team, you are in trouble. Now, I cannot estimate how often the sudo feature is used, but I doubt it's used that much, in which case I'm fine with the maintainer being notified (an appropriate X-Bugzilla-Type header should make it easy to filter notifications in the email client). Note comment 1 from Marc: do not notify the maintainer if he is the one impersonating someone else.
|
|
||
Comment 18•14 years ago
|
||
(In reply to comment #16) > We had it completely disabled outright, and an admin enabled it for himself > and used it ^^^ and that specifically was the kicker. Not so much that it was used for a questionable reason, but that it was used at all when we supposedly had it completely disabled.
|
|
||
Comment 19•14 years ago
|
||
Okay. If you have an admin, who is already an admin, and they do something that you don't want them to, I don't think that's a scenario that Bugzilla should really be implementing features to protect against. Protecting against somebody becoming an admin without rights to? Absolutely! That's one reason why bz_sudoers is in bz_sudo_protect by default, and so is the "admin" group.
|
|
||
Comment 20•14 years ago
|
||
On the other hand, if you want to help us implement a general auditing framework that allowed notifications on certain audit events, I'd be totally in support of that, provided that it was implemented in an architecturally clean way.
|
|
||
Comment 21•14 years ago
|
||
Comment on attachment 442483 [details] [diff] [review] patch - v1 So that's r- based on the fact that I don't want this to happen.
Attachment #442483 -
Flags: review?(mkanat) → review-
|
|
||
Comment 22•14 years ago
|
||
As I said above, I would absolutely be interested in a general user (or perhaps even Object) auditing system. We could probably do it now with minimal rearchitecture.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Target Milestone: Bugzilla 3.8 → ---
|
|
Assignee | |
Comment 23•14 years ago
|
||
Comment on attachment 442483 [details] [diff] [review] patch - v1 I disagree. I should not have to write an entire audit system just to get proper notifications that sudo is being used. Appealing to the module owner on this one.
Attachment #442483 -
Flags: review?(justdave)
|
|
||
Comment 24•14 years ago
|
||
(In reply to comment #22) > As I said above, I would absolutely be interested in a general user (or > perhaps even Object) auditing system. We could probably do it now with minimal > rearchitecture. Max, Not sure why there is a big push back NOT to do this as it seems rather simple. Upon anybody using the sudo feature some sort of alert should be generated like email or alert and log. Log event is noted in Bug 562750. (which has had no comments BTW) I understand your reasons for not moving forward but they are completely invalid from our point of view. While we trust our admins, there should be some clear accountability for the actions that they take in any installation. I would guarantee that we would have seen this activity if it was emailed to our admins. Email filters are a wonderful thing.
|
|
||
Comment 25•14 years ago
|
||
Hey Chris. I perceive it as a feature that we don't really need, and that doesn't actually solve a problem for the majority of Bugzilla installations using sudo, even if it would have solved this one particular problem that happened this one particular time at one particular organization (Mozilla). For the accountability, I think the right solution is bug 562750, which would probably be pretty simple. Probably somebody could have written a patch for it in the collective time we've all spent writing comments on this bug. :-)
|
|
||
Comment 26•14 years ago
|
||
(In reply to comment #25) > Hey Chris. I perceive it as a feature that we don't really need, and that > doesn't actually solve a problem for the majority of Bugzilla installations > using sudo, even if it would have solved this one particular problem that > happened this one particular time at one particular organization (Mozilla). > > For the accountability, I think the right solution is bug 562750, which would > probably be pretty simple. Probably somebody could have written a patch for it > in the collective time we've all spent writing comments on this bug. :-) At this point, we will take what we can get. Logging is our preferred method and us here in Security are making a BIG push for application level logging. So using this feature should generate something which we could turn around and email. So email fine, I am willing to give up on that one but logging, not really.
|
|
Assignee | |
Comment 27•14 years ago
|
||
(In reply to comment #25) > For the accountability, I think the right solution is bug 562750, which would > probably be pretty simple. Probably somebody could have written a patch for it > in the collective time we've all spent writing comments on this bug. :-) Logging != notification. Please do not confuse the two.
|
|
||
Comment 28•14 years ago
|
||
Logging can be used to generate a notification, because we can always have nagios watch the log and page someone. ;)
|
|
||
Comment 29•13 years ago
|
||
Comment on attachment 442483 [details] [diff] [review] patch - v1 Clearing the request for review as the bug has been closed as wontfix.
Attachment #442483 -
Flags: review?(justdave)
|
|
Assignee | |
Updated•13 years ago
|
Whiteboard: [wanted-bmo]
You need to log in
before you can comment on or make changes to this bug.
Description
•