Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re: [OT] Advanced CVS usage

by hacker (Priest)
on Jun 02, 2003 at 00:36 UTC ( #262272=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Re: [OT] Advanced CVS usage
in thread [OT] Advanced CVS usage

..which again suffers from a larger security hole than a properly-scoped ACL that does not require local user accounts.

As far as I know, without a SERIOUSLY locked down chroot (i.e. no logins allowed whatsoever), you can't let non-local users use ssh. You need to create a local account for them on the physical box (or LDAP, or whatever you use). This opens a potential hole in your security, pending someone exploiting the client machine or network (which, as you know, you can never trust or validate).

If someone has a trusted account on your box(es), they can always try "Exploit-of-the-week" to try to gain root or consume unnecessary resources of the machine proper. These can be controlled with limits(5) and chroot(8), but those too, require considerations of their own.

With a system using ACLs, and no local user accounts, you can be sure that even if the user's machine, network, or password were somehow sniffed or exploited in some way as to compromise their access to their repository, it does not compromise your server running those repositories.

Requiring a local account, ssh, cvs, login, or otherwise, is always going to be less secure than a system that works without the use of that constraint. See comp.security.misc and comp.security.ssh for more information on these issues.

Subversion is definately a contender for personal repositories, and public repositories where absolute security is not an issue, but those should be determined by the administrator who needs to install, maintain, and manage those repositories.


Comment on Re: [OT] Advanced CVS usage

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://262272]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (16)
As of 2014-10-24 18:59 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (134 votes), past polls