info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security


From: Kaz Kylheku
Subject: Re: Security
Date: Mon, 17 Sep 2001 01:09:53 GMT
User-agent: slrn/0.9.6.3 (Linux)

In article <address@hidden>, Stevie O wrote:
>At 01:19 AM 9/17/2001 +0100, you wrote:
>incredibly easy to do with the current protocol).  And the idea is to NOT 
>have to give people login access to my machine just so they can access the 
>repository.

You should not pretend that CVS access is anything less than login access,
no matter what protocol is used.

What you can do is give people ssh access, and then replace their
shell with a script which filters the possible commands that can be
remotely executed.

Here is an example script which will allow users to copy files to and
from their home directory of their account and to access CVS. 
It also logs the user's action.  Use at your own risk.

#!/bin/sh
#
# $Id: cvs_or_scp_only,v 1.1 2000/06/26 23:37:23 kaz Exp $
#
# This is a script which restricts an incoming ssh or rsh connection to only
# certain actions. This is installed as the user's login shell.
#

function run_valid_commands()
{
        COMMAND=""

        if [ $# -gt 1 ] ; then
                shift # get rid of -c
                COMMAND=$1
                shift # get rid of command
        fi

        case $COMMAND in
                scp )
                        if [ "$*" = "-f ." -o "$*" = "-t ." ] ; then
                                exec /usr/local/bin/scp "$@"
                        else
                                echo "You may only copy files to and from your 
home directory!"
                        fi
                        ;;
                cvs )
                        /usr/bin/cvs -d "/home/$USERID/cvsroot" server
                        ;;
                ls )
                        exec /bin/ls -aFC
                        ;;
                ll )
                        exec /bin/ls -alF
                        ;;
                * )
                        echo "Sorry, you may only do the following:"
                        echo "- use 'cvs' to access the cvs repository"
                        echo "- use 'scp' to copy files to and from your home"
                        echo "- use 'ls' or 'll' to list home directory"
                        ;;
        esac
}

USERID=$(id -un)
LOGENTRY="$(date): [$USERID]: $@"
echo $LOGENTRY >> "/var/log/$USERID/accesslog"
run_valid_commands $@


reply via email to

[Prev in Thread] Current Thread [Next in Thread]