ocf / utils Goto Github PK

We've been getting emails about this from campus, and in the long run it will be easier to ask everyone to have it installed.

I propose we install https://wordpress.org/plugins/disable-wp-rest-api/ or https://wordpress.org/plugins/rest-api-toolbox/

after setting up the wordpress install.

We should document this happens on ocfweb and probably say something about it when easywp is being run.

#39 needs to have the awk stuff in volume() improved
also it bugs out on 0% due to some spacing issue. Might be useful to forget trying to parse anything and just dump the entire line.

It is currently unclear to the user that these commands cannot be used properly outside of supernova. This is made clear if 'usage' is viewed, but if you just enter a command unknowingly you will see a Python error on the command line. I would recommend that we implement a check to change the output and hide the error if the user is not on supernova.

the python error shouldn't happen as the request doesn't require authencate at all (just curl https://orapps.berkeley.edu/StudentGroupServiceV2/service.asmx/SignatoriesActiveStudentGroups?UID=1234567).
The problems:

1. supernova is running ldap3 2.1.1 and other machines are running ldap3 1.2.2. lower ldap version caused the respond 'calnetUid' to be a list of strings ['1234567'], but on supernova it's a string ('1234567')
2. supernova is running ocflib june 2019 but normal computers are running ocflib sept2019.
   this pr #171 (51924bf809fbeccc9b0087f78d61b71eda47d49e) screwed up things in some functions in ocflib/account/search.py :
   e.g.

    calnet_uid = int(calnet_uid)
    return users_by_filter(
        '(calnetUid={})'.format(escape_filter_chars(calnet_uid))
    )

calnet_uid = int(calnet_uid) actually escaped filter chars, and escape_filter_chars() only takes in str, int or list will all screw it up.

My suggestions:

1. update ldap3 on all machines
2. update ocflib on supernova
3. revert 51924b

This should prevent spelling errors from creeping in to the attendance list.

As mentioned in here, I guess this could be helpful in some case that the username is hard to type.

Right now they're worryingly prone to injection attacks, although at least users can't arbitrarily set SUDO_USER...

ex. WordPress

This would help us fix WordPress compromises a lot faster.

Right now, the minutes script leaves one giant Attendance block that lists everyone who showed up to BoD. This makes it hard to tell after the fact who joined BoD and who was just a visitor, makes it impossible to fully rebuild the membership file if it gets corrupted, and makes things like bod ls unreliable.

We should still have the minute-taker fill in a single attendance block, but after that, the script should split that block into three blocks: current BoD members, guests who joined BoD, and guests who didn't join BoD.

See subject

• Anyone in ocfroot should be in ocfstaff
• Anyone in ocfroot should have a /root and /admin (this involves kerberos too)

Ideally we would also list /root and /admin principals, and ensure these people are in appropriate LDAP groups. But not sure if we can do that easily without requiring ldap-lint to have a privileged kerberos bind

ocf/projects#45

when moving VMs from hypervisors with incompatible CPU types, we should strip the CPU type field from the KVM XML domain metadata so we can just start VMs easily without having to virsh edit <domname> to fix the CPU information.

We currently have an annoying manual process for taking printers in and out of rotation that's prone to error. We should have a script that does this properly.

The utils repository should be reserved for scripts called by a human. ldap-lint is called daily by firestorm, so it should be moved there.

We currently store the sorry reason and old shell in the ~/.sorry and ~/.oldshell files respectively of the sorried user. This is a dangerous practice, because:

• If the user had something valuable in the ~/.sorry file, we overwrite it.
• If the user had an existing ~/.oldshell file, we lose the info about the old shell.
• Worst of all, ~/.sorry could be a symlink created by an attacker to point to important system files. In that case, we would just overwrite those files. (And the scary thing is the script, running as root, actually has permissions to do this.)

We should store this information elsewhere, preferably in a directory that only we control.

After #129 was merged, easywp does not work on new accounts because makemysql fails (since there is no existing config to update the DB password in).

The ability to give pages for just that day would be really handy.

This would mostly involve making a new PR that incorporates the feedback from #114

Extend ocf-kubernetes-deploy so that it will automatically create kubernetes secret resources for certain template files using the same secrets system as other resources. This is needed for config.js in thelounge (instead of ocf/thelounge#9) and homeserver.yaml in matrix.

When an account is sorried, any current processes running as that user should be kill -9d on any machines they could potentially be running on (tsunami, death, vampires, segfault, corruption, and maybe more?).

Also, user crontabs should be disabled on these machines. Cron won't be able to run anything as the user but will still try, filling our logs with garbage. A recent compromise included adding stuff to crontab.

If a user has a Wordpress website set up and resets their database password, the site becomes completely unusable (even to go into settings and change it). Fixing it requires SSHing in and changing the password in the configuration file.

Luckily, we can automate this with wpcli. The makemysql script should also cd into the public_html folder and run wp config set DB_PASSWORD newpasswordgoeshere. It's OK if the command fails since that just means the user doesn't have a Wordpress site.

A message like x_user doesn't have any DNS records associated with them is more human-friendly than an empty table.

Currently sorry and unsorry are pretty complicated scripts to be written in bash and have commented out sections, shellcheck-ignored warnings, etc. It's also tough to know if things done in the sorry script are undone properly in the unsorry script (setting file permissions for instance), so rewriting these two to use common functions and better error handling (maybe even be in the same script file) would be useful.

There are a few Python 2 scripts left; going with our broader migration to Python 3, we should convert these holdouts over to the current decade.

The specific scripts which aren't slated for removal according to my knowledge are:

./acct/chsh
./acct/update-email
./staff/acct/note
./staff/sys/apt-dated
./staff/web/bludgeon
./net/pyrc

Because of updates to ocf-tv, the current sink value will not work. This needs to be updated.

https://github.com/ocf/utils/blob/master/staff/dns/dns-reconcile