[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security
From: |
Kaz Kylheku |
Subject: |
Re: Security |
Date: |
Mon, 17 Sep 2001 01:09:53 GMT |
User-agent: |
slrn/0.9.6.3 (Linux) |
In article <address@hidden>, Stevie O wrote:
>At 01:19 AM 9/17/2001 +0100, you wrote:
>incredibly easy to do with the current protocol). And the idea is to NOT
>have to give people login access to my machine just so they can access the
>repository.
You should not pretend that CVS access is anything less than login access,
no matter what protocol is used.
What you can do is give people ssh access, and then replace their
shell with a script which filters the possible commands that can be
remotely executed.
Here is an example script which will allow users to copy files to and
from their home directory of their account and to access CVS.
It also logs the user's action. Use at your own risk.
#!/bin/sh
#
# $Id: cvs_or_scp_only,v 1.1 2000/06/26 23:37:23 kaz Exp $
#
# This is a script which restricts an incoming ssh or rsh connection to only
# certain actions. This is installed as the user's login shell.
#
function run_valid_commands()
{
COMMAND=""
if [ $# -gt 1 ] ; then
shift # get rid of -c
COMMAND=$1
shift # get rid of command
fi
case $COMMAND in
scp )
if [ "$*" = "-f ." -o "$*" = "-t ." ] ; then
exec /usr/local/bin/scp "$@"
else
echo "You may only copy files to and from your
home directory!"
fi
;;
cvs )
/usr/bin/cvs -d "/home/$USERID/cvsroot" server
;;
ls )
exec /bin/ls -aFC
;;
ll )
exec /bin/ls -alF
;;
* )
echo "Sorry, you may only do the following:"
echo "- use 'cvs' to access the cvs repository"
echo "- use 'scp' to copy files to and from your home"
echo "- use 'ls' or 'll' to list home directory"
;;
esac
}
USERID=$(id -un)
LOGENTRY="$(date): [$USERID]: $@"
echo $LOGENTRY >> "/var/log/$USERID/accesslog"
run_valid_commands $@
- Security, Stevie O, 2001/09/16
- Message not available
- Re: Security,
Kaz Kylheku <=
- Message not available