[Python-Dev] PEP: Migrating the Python CVS to Subversion (original) (raw)
"Martin v. Löwis" martin at v.loewis.de
Fri Jul 29 23:19:04 CEST 2005
- Previous message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Next message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Michael Hudson wrote:
Would it work/how much risk would it be to create accounts with shell /bin/false?
It seems that the pydotorg admins are worried about such a prospect.
I believe this alone either won't work or won't be good enough (not sure which one): If you have /bin/false as login shell, and still manage to invoke /usr/bin/svnserve remotely, you can likely also invoke /usr/bin/cat /etc/passwd remotely (or download and build the root exploit via ssh).
So you would have restrict the set of valid programs to only svnserve. This is possible, but difficult to manage (AFAIK).
(still faintly bothered by ~/.subversion/auth/svn.simple/*...)
Indeed. I personally would prefer SSL client certificates. This is still tricky (where do you get the passphrase for the private key from (*)), but slightly better.
Regards, Martin
(*) In case you wonder, I'm personally using the following techniques here:
- on windows, remove the passphrase from the private key/.p12 file, and encrypt the file through NTFS encryption. Then you don't need to enter a passphrase, but still nobody can steal the private key from your disk (as long as you are not logged in; the same holds for ssh-agent)
- on Linux, my issue is that .subversion is on NFS, so any root user in our net can connect to the file. Therefore, I copy the .p12 file to /tmp/private_dir, and remove the passphrase there. No other machine can read the file (as /tmp is not exported), and the file goes away after machine shutdown latest (as tmp is cleaned on reboot).
- again on windows, I'm working on teaching subversion the Microsoft certificate store.
- Previous message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Next message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]