Re: RFC: Securing maintainer uploads to master.gnome.org
- From: Maciej Marcin Piechotka <uzytkownik2 gmail com>
- To: Olav Vitters <olav vitters nl>
- Cc: desktop-devel-list gnome org
- Subject: Re: RFC: Securing maintainer uploads to master.gnome.org
- Date: Thu, 10 Nov 2011 15:19:07 +0000
On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> Loads of people currently have access to master.gnome.org as to upload
> tarballs. This is currently done by handing out shell access to these
> people.
>
> If any of the 350+ has their machine compromised, someone could easily
> use that to reach shell on master.gnome.org. I don't want that to be
> possible.
>
+1
> My thoughts to secure this is:
> 1. Get rid of shell for ideally everyone (maintainers, release team,
> etc)
> 2. Uploads are done using:
> a. rsync over ssh using rrsync; this restricts what you can upload
> b. something like: ssh master.gnome.org install-module
> c. the install-module command looks at what you uploaded and then
> calls ftpadmin on it
> Problem:
> a. rsync might be annoying / unreliable
> b. don't think you can delete easily with rsync
> c. more annoying than e.g. sftp or scp
> Benefit:
> a. rsync over ssh is easy to secure
I may be wrong but IIRC ssh can be configured to allow only scp
connections. Maybe solution would be (instead of rsync):
- Allow scp
- Allow install-module as default (and only) login shell
> 3. Access is determined using "doap" files
Hmm. Isn't access to git open to everyone who have key? The malicious
attacker who compromise account one of 350+ user may alter the doap file
(I guess it would be much easier to miss then say unexpected release
which is followed by public e-mail).
Regards
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]