[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cvs ext (ssh), but no shell access..

From: Rob Helmer
Subject: Re: cvs ext (ssh), but no shell access..
Date: Thu, 25 Sep 2003 09:57:36 -0700
User-agent: Mutt/1.3.28i

On Wed, Sep 24, 2003 at 04:56:19PM -0700, Mike Castle wrote:
> In article <address@hidden>,
> Wim Bertels  <address@hidden> wrote:
> >Houdi,
> >Its a remote clients/server setup,
> >cvs is up and running, but by using the ext method users automatically gain
> >shell access to the cvs server, this in NOT intended, how do you solve this.
> >(i need to use ssh because i have to use pam_ldap to authenticate the 
> >cvs-users)
> I don't worry about it.
> Make sure nothing but CVS is on the machine, and users won't have access to
> anything they don't already have access to.
> No additional risk.

Well, I wouldn't say that. A real shell enables them to :

1) permanently delete files under CVS control
2) run arbitrary commands (including commands they upload)

1 is bad enough, but 2 could allow them (or someone with access to their
account) to use the server for any manner of attack on other servers
either inside or outside of your organization.

The only command they need to run is "cvs server", I don't see any
reason to give more access than that if it's a CVS-only machine.

Rob Helmer

reply via email to

[Prev in Thread] Current Thread [Next in Thread]