[Python-Dev] PEP: Migrating the Python CVS to Subversion (original) (raw)
Barry Warsaw barry at python.org
Sat Jul 30 00:12:16 CEST 2005
- Previous message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Next message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 2005-07-29 at 17:19, "Martin v. Löwis" wrote:
I believe this alone either won't work or won't be good enough (not sure which one): If you have /bin/false as login shell, and still manage to invoke /usr/bin/svnserve remotely, you can likely also invoke /usr/bin/cat /etc/passwd remotely (or download and build the root exploit via ssh).
So you would have restrict the set of valid programs to only svnserve. This is possible, but difficult to manage (AFAIK).
I think that's basically right.
- on Linux, my issue is that .subversion is on NFS, so any root user in our net can connect to the file. Therefore, I copy the .p12 file to /tmp/privatedir, and remove the passphrase there. No other machine can read the file (as /tmp is not exported), and the file goes away after machine shutdown latest (as tmp is cleaned on reboot).
I don't think that's true on all Linuxes though (or even all *nixes).
-Barry
-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://mail.python.org/pipermail/python-dev/attachments/20050729/e917d527/attachment.pgp
- Previous message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Next message: [Python-Dev] PEP: Migrating the Python CVS to Subversion
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]