Re: How to programmatically restrict a /bin/rm command in a repository?

[Greg A. Woods]

[ On Tuesday, September 2, 2003 at 17:24:53 (-0400), Christopher Rumpf wrote: ]
> Subject: How to programmatically restrict a /bin/rm command in a repository?
>
> I have some developers who simply refuse to use the 'cvs rm', 'cvs delete'
> and 'cvs remove' commands.  Instead they log into the CVS server (using
> SSH), cd into the repository and /bin/rm the ,v files which they are
> concerned about.  (yikes!)

If you can't retrain them using external policy enforcement (peer
pressure, management directives, etc.) then I'd suggest replacing
/bin/rm on that system with a program that fails with a nice explanitory
message if it finds itself being told to remove any file within your
repository.

> Has anyone encountered this before and how did you solve it?

Most of the time I've found it sufficient to tell such people that if
they don't stop doing such things then they'll be fired on the spot,
plain and simple (and in those cases either I am effectively management,
or at least I have management firmly on my side).

>  The only way I
> can think (right now) is to write  a script that will run for every single
> /bin/rm command which will first make sure that the repository path is not
> in the path to be deleted.

You need to check the current working directory and chase down relative
paths too.

>  This seems very inefficient.

Inefficient?  In what way?

It's not a perfect or unbeatable solution of course (a good programmer
or even a talented non-programmer can probably find a dozen more ways to
remove a file), but somehow you have to get the point across to them and
hopefully you can do it in such a way that they'll learn from their
mistakes and not simply stomp off in a huff.

In fact you probably don't even want to appear to be trying to make it
perfect or unbreakable -- you just want them to know that messing with
files directly in the repository is forbidden except in very special
circumstances, and only with the direct permission and participation of
the repository manager.

CVS is not a security tool and indeed any application like it must
either work like Fort Knox and take on all security responsibility
itself or else rely on external policy enforcement (e.g. peer pressure,
education, threat of losing your job, etc.) in order to maintain data
integrity.  Most collaborative Unix/POSIX based distributed applications
cannot successfully work like Fort Knox and shouldn't even try to do so.

> <html>

Please DO NOT EVER send HTML, rich text, or otherwise stylized e-mail,
especially not to me or to any public mailing list.  Not all mail
readers will recognize such formats, and their added volume is generally
a total waste of bandwidth, storage, and processing power for everyone.
HTML in particular is a potential security threat and many firewalls and
some mailing lists filter it entirely -- especially since CERT and
Microsoft have jointly anounced a very major flaw in the HTML rendering
engine used in all Microsoft products (in versions still widely in use,
and which isn't even properly fixed in the most recent releases).

For more information see, for instance, the following articles:

        http://www.georgedillon.com/web/html_email_is_evil.shtml

        http://www.georgedillon.com/web/html_email_is_evil_still.shtml

        http://www.greydragon.org/library/email_list_etiquette.html

Please send all your messages as plain text only.


-- 
                                                Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <address@hidden>
Planix, Inc. <address@hidden>          Secrets of the Weird <address@hidden>