SoylentNews is people
SoylentNews
So, quick update here. The site was down for most of the night because the database cluster shot itself in the head. I had restarted a machine to install updates, and this caused the backend cluster to entire to entirely loose its mind. Unfortunately, I didn't have a manual dump of the database made, just a VM snapshot, since, well, I wasn't tinkering with it directly. I've mostly been trying to patch things to the point that I can sleep, and leaving things down like IRC and email which need to be seriously overhauled before they can go back up.
As far as damages go, it looks like we lost 10 or so days of messages, which uh, sucks for multiple reasons. We're currently on ##soylentnews on Libera.Chat while I pull bits of the site out of the flames, but I'm at the point that if I don't sleep, I will make things worse. Corruption in the production database is very much not what I wanted, and we're very much in limp mode for the moment. I'm going to let staff handle IRC and comments while I sleep, and then I'll post another update when I'm awake.
See you in a few hours
~ NCommander
(Score: 2) by RS3 on Saturday November 12 2022, @08:09PM (1 child)
Yeah, for what you're doing, esp. that you've been developing your scripts all along, it would probably be more effort to set up Ansible, et al. Those are more oriented to large stacks of duplicate servers.
That said, some of the "automation" packages make some things much easier, like samba, apache, mysql, and other configurations. I've occasionally used them on a test server just to get some information from them about their ideas for config files, in case I'm missing something, etc. But I already have a big head start on config files, so kind of like systemd, I'm not sure I want to trust someone else's idea of how my system's config files are written...
Since I don't have a stack of servers, just a few, I've done like you- written several simple scripts to automate simple things like updating WordPress plugins and themes. WordPress has built-in updating available, but it requires giving a site access password to the source for the update.
IIRC, Apache used to run per virtual hosts ownership / permissions. IE, each customer's /home directory is owned by that username, and each Apache process would only have access to those files. But unfortunately Apache runs as apache:apache, so as far as I can tell, giving that access password to one WordPress site would or could give access to all sites. Although it is difficult to get past the virtual root for Apache's files, still, it's a risk.
Some years ago there was a malicious WordPress plugin that used /tmp as a mechanism to do its dirtywork. I didn't study the thing- it was right around when I inherited the sites around 15 years ago. That was a pretty quick fix, including just some raw OS updates.
(Score: 2) by JoeMerchant on Saturday November 12 2022, @09:03PM
Just recently we updated Virtual Box to whatever installs in Ubuntu 22.04 with apt and they went and locked down (well, made less open) configuration of host only network addresses, now you have to create folder /etc/vbox and put a network.conf file in there to specify something other than their 192.168.56.1/20 default range...
It's always something.
For SN I would really try to avoid all the "cool" stuff that opens so many security holes like you describe. If you don't have fancy stuff, then you don't need to provide access for updating of the fancy stuff.
🌻🌻 [google.com]