[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: --allow-root and init via SSH

From: Greg A. Woods
Subject: Re: --allow-root and init via SSH
Date: Tue, 11 Dec 2001 12:19:50 -0500 (EST)

[ On Tuesday, December 11, 2001 at 10:59:07 (+0100), Stephan Feder wrote: ]
> Subject: --allow-root and init via SSH
> I want to set up CVS in a way so that some dedicated cvs users cannot do
> anything hostile. For that reason they have to login via SSH and their
> login shell is a simple program that checks that they want to execute
> "cvs server" and then executes "cvs server" itself. But now a simple
> "cvs -d :ext:<user>@host:/tmp/<any name> init" allows those users to
> "pollute" the /tmp directory (or any other directory they are allowed to
> write to, even within an existing repository they have access to).
> Should not creating new repositories be disallowed via remote access?

What use would CVS be if that were a default restriction?  :-)

Seriously, the problem here is with world writable directories, not with
tools that create and manage directories and files.  You need to have
procedures and policies for dealing with these issues whenever you have
a multi-user system with world-writable directories.  This problem is
not new, and it will not likely go away for some time to come.

> Another question I asked some time ago on this list: 
> Is --allow-root evaluated for "cvs server" in the current development
> version, or is it at least on the todo list? 

Now you're really asking for trouble.  Generally speaking the superuser
account should never be used directly from remote (though with
tremendous care in implementation and use one might use per-person SSH
keys that give a solid audit trail of who accessed the account, and
there are arguments suggesting such a configuration is more secure than
using 'su').

However w.r.t. CVS, there's no way possible, currently, for it to
securely authenticate the remote user, even if sshd has been able to do
so, and therefore it's impossible for CVS to log who did something.
I.e. --allow-root for remote users is just something that you do not
ever want to do.

                                                                Greg A. Woods

+1 416 218-0098;  <address@hidden>;  <address@hidden>;  <address@hidden>
Planix, Inc. <address@hidden>; VE3TCP; Secrets of the Weird <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]