[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security options :-(

From: Zieg, Mark
Subject: RE: Security options :-(
Date: Tue, 17 Dec 2002 10:01:24 -0500

> cvsphil would still have rights to maliciously modify the ,v files 
> though, right?  i.e., he could modify the history, etc.

He would have the *rights* to, yes, but provided that cvsphil was not
allowed to log into the system directly, he would not have an *opportunity*

I haven't done this myself in awhile, but you can configure a "genuine login
account" -- cvsphil, in this case -- who can connect via ssh, but through no
other method.  That is, cvsphil can't login from the console, from telnet,
rlogin, etc.  I think this is mainly done by setting his login shell to
"/sbin/nologin" or the equivalent.

Then, you can configure the user's ssh login so that the ONLY command they
can run via ssh is "cvs".  By default, ssh will open a login shell, but that
won't work for cvsphil, since he won't have a login shell configured.  Nor
will you allow phil to type "ssh address@hidden rm
/usr/local/cvsroot/CVSROOT/history", because ssh will be configured to
require the command to be "cvs" (rather than "rm" in this example), and will
strip out metacharacters like "&&" and ";".  And you'll also ftpchroot
cvsphil so he can't FTP into the repository server, either.  (cvsphil's a
tenacious and sneaky bastard, after all.)

Basically, "phil" can be logged into the repository server directly as
"phil", or onto some other networked computer as "whatever", yet in either
case the only way he'll be able to write to the CVS repository will be as
"ssh address@hidden cvs ...".  (All of that gets wrapped into his $CVSROOT
and $CVS_RSH environment variables, so he doesn't have to type anything but
"cvs ..." in reality.)

Anyway, it does requiring several things correctly, but I'm 99% sure it's
doable.  As for the details of configuring SSH to only permit a single
command to be executed, and to strip out metacharacters which could permit a
remote exploit, you'll need to check the SSH docs or see if someone has
written an appropriate HOWTO.  It's mostly laid out in the O'Reilly SSH
book, though (see the discussion of "forced commands" at

Unfortunately, although I saw several "CVS SSH HOWTO" documents on the web,
most were either incomplete, or written for end-users of an already-secured
repository.  I didn't see one which described, step-by-step, how to
construct a totally secure SSH/CVS Linux-based repository from the ground
up.  Does anyone have a link to such a document that I missed?  It would be
a pretty handy page.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]