Hi infrastructure team,
I am in doubt how to deal with "endoflife" service account. In fact, it is not really an account, it is just an email alias. This email address has been used for maintaining and housekeeping of old bugs in Bugzilla.
The background: This email alias used to be forwarded to triage@ mailing list. Some time ago password policy of Bugzilla has changed and this email/account become unavailable due to a weak password. To make this email/account available again I had to request password reset of the Bugzilla account. The password reset in Bugzilla is made via email and the email to confirm the password reset had been sent to the publicly available triage@ mailing list. Then I have realized that anybody can hijack the account, using the password reset. To avoid this, I redirected the endoflife Bugzilla account to my private email address. However I to not think this is a good solution and I would like to find a way how to solve this problem properly.
Currently, the best way I see, is to make the "endoflife" email alias as a full-blown account in FAS, instead of email alias only. However as far as I know, we are using FAS for real people only. So, my question is, whether there is a better way how to deal with this service email/account ?
Thanks for pointing me to the right direction :)
Best Regards, Jan
On Mon, 7 Dec 2015 12:57:30 +0100 Jan Kurik jkurik@redhat.com wrote:
Hi infrastructure team,
I am in doubt how to deal with "endoflife" service account. In fact, it is not really an account, it is just an email alias. This email address has been used for maintaining and housekeeping of old bugs in Bugzilla.
The background: This email alias used to be forwarded to triage@ mailing list. Some time ago password policy of Bugzilla has changed and this email/account become unavailable due to a weak password. To make this email/account available again I had to request password reset of the Bugzilla account. The password reset in Bugzilla is made via email and the email to confirm the password reset had been sent to the publicly available triage@ mailing list. Then I have realized that anybody can hijack the account, using the password reset. To avoid this, I redirected the endoflife Bugzilla account to my private email address. However I to not think this is a good solution and I would like to find a way how to solve this problem properly.
Currently, the best way I see, is to make the "endoflife" email alias as a full-blown account in FAS, instead of email alias only. However as far as I know, we are using FAS for real people only. So, my question is, whether there is a better way how to deal with this service email/account ?
Thanks for pointing me to the right direction :)
We could do this, but I am not sure what advantage it might bring us.
Now that the password is reset, why not point it back to the list?
is the list of use? If we don't care about any emails to that account we could just drop them?
kevin
I am fine with pointing the account back to the list. However, I would like to make sure only closed group of people can change password of the Bugzilla account. Having the account pointing to a public mailing list allows anyone to change the password. Dropping all the emails coming from this Bugzilla account will do the job, but there will be no possibility then to change the password in case it gets invalid (which is what has happened the last time).
What I am trying to achieve is a service account shared and controlled by a closed group of people.
If there is any better solution, I am open to accept it.
Regards, Jan
On Sat, Dec 26, 2015 at 9:54 PM, Kevin Fenzi kevin@scrye.com wrote:
On Mon, 7 Dec 2015 12:57:30 +0100 Jan Kurik jkurik@redhat.com wrote:
Hi infrastructure team,
I am in doubt how to deal with "endoflife" service account. In fact, it is not really an account, it is just an email alias. This email address has been used for maintaining and housekeeping of old bugs in Bugzilla.
The background: This email alias used to be forwarded to triage@ mailing list. Some time ago password policy of Bugzilla has changed and this email/account become unavailable due to a weak password. To make this email/account available again I had to request password reset of the Bugzilla account. The password reset in Bugzilla is made via email and the email to confirm the password reset had been sent to the publicly available triage@ mailing list. Then I have realized that anybody can hijack the account, using the password reset. To avoid this, I redirected the endoflife Bugzilla account to my private email address. However I to not think this is a good solution and I would like to find a way how to solve this problem properly.
Currently, the best way I see, is to make the "endoflife" email alias as a full-blown account in FAS, instead of email alias only. However as far as I know, we are using FAS for real people only. So, my question is, whether there is a better way how to deal with this service email/account ?
Thanks for pointing me to the right direction :)
We could do this, but I am not sure what advantage it might bring us.
Now that the password is reset, why not point it back to the list?
is the list of use? If we don't care about any emails to that account we could just drop them?
kevin
infrastructure mailing list infrastructure@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/infrastructure@lists.fedoraprojec...
infrastructure@lists.fedoraproject.org
-
Jan Kurik -
Kevin Fenzi