Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Thoughts on including Hosting Logs in aegir core as Golden Contrib?
https://www.drupal.org/project/hosting_logs
141 active installs.
Comments
Comment #2
Jon PughComment #3
helmo CreditAttribution: helmo at Initfour websolutions commented+1
Comment #4
ergonlogicWhile I appreciate the convenience this module would provide, I have serious concerns about the security repercussions. I think it's fine in a development scenario, but I'd hesitate to even make it available on a production hosting system.
All kinds of sensitive information could be leaked by exposing logs in this way.
Comment #5
colanI'm not as worried about the security issues here as I am for #2908936: Add Aegir SSH. In this case, nobody's getting access to anything. Sure, it's sensitive information, but it's a much lower risk (and still protected by the front-end).
Maybe allow it with a warning?
Comment #6
Jon PughAegir provides a single point of failure out of the box: "Delete" and "Disable".
We trust the permissions system to work to prevent total destruction of a site.
Why can't we trust that same system to manage access to Logs and the aegir system user?
If you trust the ability to grant "Delete Site" permission surely you can trust that same system to allow "View Logs". We don't have to provide any default permissions.
Comment #7
ergonlogicDeleting a site isn't the worst thing that can happen. An undetected security breach that compromises sensitive information on an ongoing basis is much worse, imo.
Comment #8
Jon PughAnother thing to consider: By not including this module in core Aegir you are encouraging the user to download it themselves, which means they must update it themselves when a new release is put out.
Then they are in the position of potentially having an upgraded Aegir but an out of date contrib module, putting their system at risk.
As the security minded people you are, perhaps you can advise on how you would secure these modules. This functionality is highly desired by users, so it is our job to figure out how to provide it.
If you wanted to think about it this way, all of Aegir is a security risk, mitigated by very clever software.
Let's not hold back useful features because of some ambiguous boilerplate security concerns. Let's think it through and figure out a way to build trustworthy software.
Comment #9
ergonlogicI think, with further review,
hosting_logs
could be added.aegir_ssh
is, on the other hand, by its very nature, a huge broadening of the attack surface for Aegir. It goes in the opposite direction of previous attempts to improve backend security, such asprovisionacl
.If anyone wanted to include it (which I'd highly recommend against, btw), they could add a custom makefile to maintain their Aegir platform relatively easily, as outlined here: http://docs.aegirproject.org/en/3.x/install/#711-custom-make-files.
Comment #11
helmo CreditAttribution: helmo at Initfour websolutions commentedI've added it to our makefile. It's in the experimental section for now We can use #2910437: Review to upgrade from experimental to Advanced section to upgrade it.