Trac Policies
Admin Accounts
In #27282, we created a draft admin account policy:
Accounts that haven't been active for 6 months will have all extra permissions removed, including GRP_admin and TRAC_ADMIN.Pager playbook
Deleting a spammer
/home/tracadm/bin/delete-user USERNAMEPurging anonymous sessions
Trac doesn't automatically purge "anonymous sessions", which can clutter the database. This will clear all sessions up to May 11th 2020:
trac-admin /srv/trac.torproject.org/trac/tor/ session purge "2020-05-11T14:22:00+00:00"There's now a cronjob (crontab -e -u tracweb) that will purge sessions older than 7 days, but it hasn't been verified:
trac-admin /srv/trac.torproject.org/trac/tor/ session purge "7 days"Before, in May 2020, the number of sessions was around 1 million entries. After purging, it returned to a more reasonable 50,000 entries.
Disabling the cypherpunk account
If the cypherpunk accounts misbehaves, it might be worth disabling it for a while. There are many cypherpunks accounts in the database: to block all their passwords, try:
sed '/cypherpunk/{s/:.*/:$5$*/}' -i.orig /srv/trac.torproject.org/trac-var/trac.usersThen delete their session:
trac-admin /srv/trac.torproject.org/trac/tor/ session delete cypherpunksNote that it's unclear if this actually works: in tor#34175 the cypherpunk account still seemed to be capable of adding stuff in Trac.
Also, the password is regularly reset with a cronjob, so you will need to disable that in:
crontab -e -u tracweb