[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs ext (ssh), but no shell access..
|
From: |
Rob Helmer |
|
Subject: |
Re: cvs ext (ssh), but no shell access.. |
|
Date: |
Thu, 25 Sep 2003 09:57:36 -0700 |
|
User-agent: |
Mutt/1.3.28i |
On Wed, Sep 24, 2003 at 04:56:19PM -0700, Mike Castle wrote:
> In article <address@hidden>,
> Wim Bertels <address@hidden> wrote:
> >Houdi,
> >Its a remote clients/server setup,
> >cvs is up and running, but by using the ext method users automatically gain
> >shell access to the cvs server, this in NOT intended, how do you solve this.
> >(i need to use ssh because i have to use pam_ldap to authenticate the
> >cvs-users)
>
> I don't worry about it.
>
> Make sure nothing but CVS is on the machine, and users won't have access to
> anything they don't already have access to.
>
> No additional risk.
Well, I wouldn't say that. A real shell enables them to :
1) permanently delete files under CVS control
2) run arbitrary commands (including commands they upload)
1 is bad enough, but 2 could allow them (or someone with access to their
account) to use the server for any manner of attack on other servers
either inside or outside of your organization.
The only command they need to run is "cvs server", I don't see any
reason to give more access than that if it's a CVS-only machine.
--
Rob Helmer
- cvs ext (ssh), but no shell access.., Wim Bertels, 2003/09/24
- Re: cvs ext (ssh), but no shell access.., Tom Copeland, 2003/09/24
- Re: cvs ext (ssh), but no shell access.., Larry Jones, 2003/09/24
- Re: cvs ext (ssh), but no shell access.., Mike Castle, 2003/09/24
- Re: cvs ext (ssh), but no shell access..,
Rob Helmer <=