Re: [Gnu-arch-users] RFC: arch protocol, smart server, and tla implementation prototypes

[Colin Walters]

On Fri, 2004-01-30 at 11:45, Robin Green wrote:

> AFAIK, any ssh approach requires shell access for every user, which
> cannot be disabled.

There is rssh: http://rssh.sf.net/
On rhythmbox.org where I host a shared repository for Rhythmbox
development, I also use a SELinux policy to restrict the users to a role
with very few permissions.  Even supposing they were able to exploit a
buffer overflow or something in rssh, just about all they can do is
read/write to a small area of the filesystem; no ptrace, no reading
/proc, no opening sockets, etc.

>  IMO this is broken - it should be possible to
> reuse the authentication+encryption+compression+protocol aspects of
> SSH without having to give people complete shell access (which allows
> them to e.g. do local root exploits more easily). For a project
> which is supposedly focused on security, this seems to me a major
> oversight. Someone correct me if I'm wrong.

Well, you would still have to allocate uids for the users, etc...it's
either that or the subsystem runs in the sshd uid, which would be
unacceptable.

Maybe another alternative would be some sort of PAM module which would
map particular logins to a specified daemon uid, or something.  

> I like the end goal of "don't force everyone to upgrade". But let's
> try and keep an eye on simplicity. More protocol complexity with tons
> of versions to track (and branches of versions!) means more code
> complexity. I believe versioning commands is too much and is 
> unnecessary.

Yeah.  I intend for the protocol to be worked on for some time before we
say it's "standard".  I don't want to put everyone through
Subversion-like pains...

signature.asc
Description: This is a digitally signed message part