SaltStack is vulnerable to an exploit effectively granting root privileges to anyone: see https://saltexploit.com/. Fortunately, we patched quickly, but it does raise multiple questions regarding our SaltStack configuration (which is why SRE has removed SaltStack tools from the servers). There are multiple CVEs for the Salt master, yet the Salt master was publicly reachable for everyone and at first glance it looks like security recommendations were not adhered. @Paladox suggested we move to Cumin (which relies on SSH, not agents), but that is one of the many options to go for. Important: even if we decide to drop Salt, we must still determine why Miraheze was exposed to such risks in the first place.
|Invalid||Paladox||T5543 Reconfigure SaltStack or replace it with another tool|
|Open||None||T5537 Replace SaltStack with Cumin|
My thoughts are we should replace salt with cumin as cumin is basically just a wrapper around ssh. It also means less software to maintain (since salt requires a master and a agent installed on each server). This also means we could use cumin against ns1. SSH is battle tested, it has been available for many many many years and has proven to be secure.