[Systems] Downloads with vulnerabilities
James Cameron
quozl at laptop.org
Sat Dec 1 00:13:06 EST 2018
Thanks to Thomas for cleaning from 38 GB to 32 GB, but there's still
many downloads with potential and real vulnerabilities; i.e. if they
are installed, and connected to the internet, they can be infected.
For example;
- Fedora Live SoaS VM .ova files from 2014,
- XSCE VM .ova file from 2013,
- Ubuntu 12.04,
- Trisquel VMs from 2011,
- SoaS Mirabelle from 2010,
- Fedora Live from 2010,
- OpenSUSE VM from 2009.
Updating them to latest would be best, otherwise delete.
On Wed, Nov 07, 2018 at 06:54:29PM +1100, James Cameron wrote:
> ...
>
> For account tgillard, it kept copies of virtual machines and operating
> system installers that were available from somewhere else, about 38
> GB. No login since February 2016, no new files since 2015, and none
> of the files are recent; security risk of zero day vulnerabilities if
> installed. Mail alias tgillard at sugarlabs.org was never used.
>
> +CC Thomas, can we delete the account now? Or can you clean it up and
> delete the out of date files with security vulnerabilities?
>
> On Wed, Nov 07, 2018 at 04:31:07AM +0100, Samson Goddy wrote:
> > Peace Ojemeh just created an account yesterday.
> >
> > On Wed, Nov 7, 2018, 4:29 AM Walter Bender <[1]walter.bender at gmail.com wrote:
> >
> > A few people on the list are still active: tgilliard for example. And
> > please keep cjl's account around.
> >
> > On Tue, Nov 6, 2018 at 10:21 PM Bernie Innocenti <[2]bernie at codewiz.org>
> > wrote:
> >
> > On 11/7/18 10:20 AM, James Cameron wrote:
> > > Small typo in sunjammer:/etc/skel/public_html has been fixed, and
> > > copied to affected users public_html/
> > >
> > > ajay aleph anurag aperez arun aurora ayush bashintosh benzea caroline
> > > christophd cjb cjl crodas dcastelo dcrossland dsd dvd earias erikg
> > > fran godiard ishan jminor kaametza kandarpk leio mako manusheel marco
> > > martasd martin mokurai mostro mstone mtd mukul mvn naufraghi neeraj
> > > nubae peaceojemeh pflores piro rasky rralcala rsl sergiodj shanjit sj
> > > socialhelp tal tuukka werner woody wwdillingham
> > >
> > > Know any of these users are inactive? Perhaps we should remove them.
> > >
> > > There are 119 user home directories on sunjammer.
> >
> > There's an old cronjob to find users with expired ldap passwords and
> > notify them by email: /etc/cron.weekly/check_pwd_expire
> >
> > I ran a modified version that doesn't send email to generate this list:
> >
> > Note: user alsroot password has expired since 668 days
> > Warning: user asharma has no LDAP entry
> > Note: user bashintosh password has expired since 1197 days
> > Warning: user dcrossland has no LDAP entry
> > Note: user francis password has expired since 821 days
> > Note: user francocorrea password has expired since 912 days
> > Note: user mako password has expired since 898 days
> > Note: user martasd password has expired since 954 days
> > Note: user mstone password has expired since 1107 days
> > Note: user quidam password has expired since 1068 days
> > Note: user rolf password has expired since 991 days
> > Note: user rralcala password has expired since 820 days
> > Note: user sam password has expired since 429 days
> > Warning: user tgilliard has no LDAP entry
> >
> > There's also system-userdel, a convenient script which removes users
> > from ldap and other places and moves their home to /home/_disabled
> >
> > Feel free to to do delete all these users, except sam and rralcala who
> > are still active. User tgilliard is actually Tgilliard in ldap... weird
> > :-)
> >
> > Providing shell accounts to developers was still fashionable 10 years
> > ago, but with things like GitLab which support the entire development
> > ->
> > release -> web deployment cycle, I no longer see the reason in most
> > cases. Developer accounts have become a huge security concern due to
> > the
> > various CPU exploits, so I would avoid giving out more shell accounts
> > to
> > people who are not supposed to be root anyway.
> >
> > --
> > _ // Bernie Innocenti
> > \X/ [3]https://codewiz.org/
> > _______________________________________________
> > Systems mailing list
> > [4]Systems at lists.sugarlabs.org
> > [5]http://lists.sugarlabs.org/listinfo/systems
> >
> > --
> > Walter Bender
> > Sugar Labs
> > [6]http://www.sugarlabs.org
> > [7]
> > _______________________________________________
> > Systems mailing list
> > [8]Systems at lists.sugarlabs.org
> > [9]http://lists.sugarlabs.org/listinfo/systems
> >
> > References:
> >
> > [1] mailto:walter.bender at gmail.com
> > [2] mailto:bernie at codewiz.org
> > [3] https://codewiz.org/
> > [4] mailto:Systems at lists.sugarlabs.org
> > [5] http://lists.sugarlabs.org/listinfo/systems
> > [6] http://www.sugarlabs.org/
> > [7] http://www.sugarlabs.org/
> > [8] mailto:Systems at lists.sugarlabs.org
> > [9] http://lists.sugarlabs.org/listinfo/systems
>
> --
> James Cameron
> http://quozl.netrek.org/
--
James Cameron
http://quozl.netrek.org/
More information about the Systems
mailing list