CAcert Code Development list.

[Wytze van der Raay <wytze AT cacert.org>]

Hi Benny,

Benny Baumann schreef op 21-10-2013 23:57:
> we have a follow-up for Bug #1003 to fix the remaining issues mentioned
> in Arbitration a20110118.1 to include Ad Admins and correct some more
> issues found since deployment of the patch v1 on 29th March 2012 and v2
> on 21st June 2012.
> 
> This follow-up introduces some minor debugging output when the script is
> run to list the people that were sent mail by the script, mainly as
> means to debug issues on the testserver: sometimes mails for people
> didn't arrive although they were listed for a specific group as could be
> seen in other groups. This output is logged to stdout and should be
> redirected into an appropriate logfile or /dev/null in case this output
> should not be logged (to avoid cron barking about the non-empty output
> of the script).
> 
> The patch was reviewed by Michael Tänzer (NEOatNHNG) and me (BenBE).
> Tests were performed by Eva, Marcus Mängel (INOPIAE), Martin Gummi
> (magu) and Ulrich Schröter (uli60).

The patch has been installed on the production server on October 22,
2013. See also the attached log message. In addtion the usual upload
and download of messages to/from the translation server has been
performed.

> Please perform the usual update of the translations. In addition it
> would be nice (but is not required) if you could compare the list of
> sent mails (according to the script output) and the mailserver logs
> after the next regular run of the permission review.

The next run will be on January 1, 2014, so that's still a long way out.
But I have left the output of the script "un-redirected", so that it
will cause cron to send e-mail to the critical admins with the debug
output of the script. That will serve as a reminder to check the output
against the mailserver log.

Regards,
-- wytze

--- Begin Message ---

• From: Wytze van der Raay <wytze AT cacert.org>
• To: cacert-systemlog AT lists.cacert.org
• Subject: Fwd: cvs.cacert.org checkin notification
• Date: Tue, 22 Oct 2013 10:56:36 +0200
• Organization: CAcert

Fix for http://bugs.cacert.org/view.php?id=1003
"Provide a possibility to regularly review the permissions in the system"

In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php

-- end

--- Begin Message ---

• From: "root" <root AT cvs.cacert.org>
• To: critical-admin AT cacert.org
• Subject: cvs.cacert.org checkin notification
• Date: Tue, 22 Oct 2013 10:41:48 +0200 (CEST)

uid=0(root) gid=0(root) groups=0(root)
permissionreview.php 1.2 1.3
Tue Oct 22 10:41:48 CEST 2013
Update of /var/lib/cvs/cacert/scripts/cron
In directory webdb:/home/cacert/www/scripts/cron

Modified Files:
permissionreview.php
Log Message:
Fix for http://bugs.cacert.org/view.php?id=1003
"Provide a possibility to regularly review the permissions in the system"

===================================================================
RCS file: /var/lib/cvs/cacert/scripts/cron/permissionreview.php,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- permissionreview.php 2012/06/21 15:24:46 1.2
+++ permissionreview.php 2013/10/22 08:41:48 1.3
@@ -27,7 +27,7 @@

//defines to whom to send the lists
$flags = array(
- 'admin' => array(
+ 'admin=1' => array(
'name' => 'Support Engineer',
'own' => false, //Don't send twice
'board' => true,
@@ -35,8 +35,8 @@
'ao' => false,
'oao' => false
),
-
- 'orgadmin' => array(
+
+ 'orgadmin=1' => array(
'name' => 'Organisation Assurer',
'own' => true,
'board' => true,
@@ -44,8 +44,8 @@
'ao' => true,
'oao' => true
),
-
- 'board' => array(
+
+ 'board=1' => array(
'name' => 'Board Member',
'own' => false,
'board' => true,
@@ -53,8 +53,8 @@
'ao' => true,
'oao' => false
),
-
- 'ttpadmin' => array(
+
+ 'ttpadmin=1' => array(
'name' => 'Trusted Third Party Admin',
'own' => true,
'board' => true,
@@ -62,8 +62,17 @@
'ao' => true,
'oao' => true
),
-
- 'tverify' => array(
+
+ 'ttpadmin=2' => array(
+ 'name' => 'Trusted Third Party TOPUP Admin',
+ 'own' => true,
+ 'board' => true,
+ 'support' => true,
+ 'ao' => true,
+ 'oao' => true
+ ),
+
+ 'tverify=1' => array(
'name' => 'Tverify Admin',
'own' => false,
'board' => true,
@@ -71,8 +80,8 @@
'ao' => true,
'oao' => false
),
-
- 'locadmin' => array(
+
+ 'locadmin=1' => array(
'name' => 'Location Admin',
'own' => false,
'board' => true,
@@ -80,30 +89,51 @@
'ao' => false,
'oao' => false
),
+
+ 'adadmin=1' => array(
+ 'name' => 'submit status for Advertising Admin',
+ 'own' => false,
+ 'board' => true,
+ 'support' => true,
+ 'ao' => false,
+ 'oao' => false
+ ),
+
+ 'adadmin=2' => array(
+ 'name' => 'approve status for Advertising Admin',
+ 'own' => false,
+ 'board' => true,
+ 'support' => true,
+ 'ao' => false,
+ 'oao' => false
+ ),
+
+
);


// Build up list of various admins
$adminlist = array();
foreach ($flags as $flag => $flag_properties) {
- $query = "select `fname`, `lname`, `email` from `users` where `$flag`
= 1";
+ $flagname = explode('=', $flag, 2 );
+ $query = "select `fname`, `lname`, `email` from `users` where
`$flagname[0]` = '$flagname[1]'";
if(! $res = mysql_query($query) ) {
fwrite(STDERR,
"MySQL query for flag $flag failed:\n".
"\"$query\"\n".
mysql_error()
);
-
+
continue;
}
-
+
$adminlist[$flag] = array();
-
+
while ($row = mysql_fetch_assoc($res)) {
$adminlist[$flag][] = $row;
}
-
-
+
+
// Send mail to admins of this group if 'own' is set
if ($flag_properties['own']) {
foreach ($adminlist[$flag] as $admin) {
@@ -117,19 +147,20 @@


EOF;
-
+
foreach ($adminlist[$flag] as $colleague) {
$message .= "$colleague[fname]
$colleague[lname] $colleague[email]\n";
}
-
+
$message .= <<<EOF


Best Regards,
CAcert Support
EOF;
-
+
sendmail($admin['email'], "Permissions Review",
$message,
'support AT cacert.org');
+ echo "Sent $flag_properties[name] mail to
$admin[email]\n";
}
}
}
@@ -152,7 +183,7 @@
foreach ($adminlist[$flag] as $colleague) {
$message .= "$colleague[fname] $colleague[lname]
$colleague[email]\n";
}
-
+
$message .= "\n\n";
}
}
@@ -163,12 +194,13 @@
CAcert Support
EOF;

-foreach ($adminlist['admin'] as $support_engineer) {
+foreach ($adminlist['admin=1'] as $support_engineer) {
sendmail(
$support_engineer['email'],
"Permissions Review",
$message,

'support AT cacert.org');
+ echo "Sent Support Engineer mail to $support_engineer[email]\n";
}


@@ -188,14 +220,14 @@
Dear $values[description],

it's time for the permission review again. Here is the list of privileged
users
-in the CAcert web application. Please review them and also ask the persons
+in the CAcert web application. Please review them and also ask the persons
responsible for an up-to-date copy of access lists not directly recorded in
the
-web application (critical admins, software assessors etc.)
+web application (critical admins, software assessors etc.)



EOF;
-
+
foreach ($flags as $flag => $flag_properties) {
if ($flag_properties[$key]) {
$message .= "List of $flag_properties[name]s:\n\n";
@@ -205,13 +237,14 @@
$message .= "\n\n";
}
}
-
+
$message .= <<<EOF


Best Regards,
CAcert Support
EOF;
-
+
sendmail($values['email'], "Permissions Review", $message,
'support AT cacert.org');
+ echo "Sent $values[description] mail to $values[email]\n";
}

--- End Message ---

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening

--- End Message ---

Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening