info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security, audits and pserver


From: Walter, Jan
Subject: RE: Security, audits and pserver
Date: Mon, 16 Dec 2002 11:42:55 +0100

Been watching this thread for a while... 

Here is my question:

Are chrooted environments truly more secure than accessing pserver over an
ssh tunnel? 

Yes, I know you can do both. There was some talk of local user accounts in a
chrooted environment are more secure than connecting to pserver for
instance. 

Personally I tend to believe that giving people any sort of local access
(even in a chrooted environment for the user for instance) is more of a
security risk than allowing pserver access over ssl/ssh, with the limited
number of users having the key needed to connect (i.e. Auto-key negotiation
disabled and so on). This limits the exposure of pserver to people already
having the public key of the server (and their public key registered there).

The way I have it set up here is that pserver and the cvsroots run as user
cvs, which is an account w/o a shell, but a home directory (the cvsroots).
Other users do not have any privileges in the cvs directories. Since the
network is trusted, encryption over the network is not necessary here, but
it would be possible to set up. The passwd and readers files, while living
in the $CVSROOT/CVSROOT directory are not part of the repository (i.e. No ,v
files) and so cannot be modified by any users.

Advantages:
- separate user management per cvsroot via the cvs passwd and readers files
(i.e. Local account != cvs access)
- optional connectivity with ssh (and potentially limiting access not only
by user, but also by valid keys)
- users on the local machine do not have read or write access to the
repository (except when connecting via pserver too, of course, but the point
is that they cannot go in and muck around with the actual files in the
repository)

Disadvantages:
- if someone did a buffer overflow attack and could get a shell, they would
have access to the cvsroots (but a chroot environment does not prevent that,
it just limits access to other binaries and directories)
- obviously, the ssh tunnel is potentially vulnerable to overflow attack
- attackers could get the keys needed to attack pserver directly by cracking
the accounts of the remote users
- changing the user's password requires admin intervention (a huge pain for
bigger sites i suppose)

Cheers,

Jan



> -----Original Message-----
> From: address@hidden [mailto:address@hidden 
> Sent: Friday, December 13, 2002 5:21 PM
> To: address@hidden; address@hidden; 
> address@hidden; address@hidden
> Subject: Re: Security, audits and pserver
> 
> 
> >--- Forwarded mail from address@hidden
> 
> >--- Paul Sander <address@hidden> wrote:
> >> A chroot environment is only good at containing
> >> what's inside it.  It
> >> does not prevent access to the chroot environment
> >> from outside.
> 
> >I see.  I guess it's obvious that the repository would
> >have to be within the chroot'ed environment meaning
> >that such an environment wouldn't help in preventing
> >users from directly accessing the archive files.  Is
> >this right?
> 
> This is correct, provided the users (or other services) 
> aren't confined to their own (non-overlapping) chroot environments.
> 
> >--- End of forwarded message from address@hidden
> 
> 
> 
> _______________________________________________
> Info-cvs mailing list
> address@hidden
> http://mail.gnu.org/mailman/listinfo/info-cvs
> 



reply via email to

[Prev in Thread] Current Thread [Next in Thread]