Re: RFC: Securing maintainer uploads to master.gnome.org



On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> Loads of people currently have access to master.gnome.org as to upload
> tarballs. This is currently done by handing out shell access to these
> people.
> 
> If any of the 350+ has their machine compromised, someone could easily
> use that to reach shell on master.gnome.org. I don't want that to be
> possible.
> 

+1

> My thoughts to secure this is:
> 1. Get rid of shell for ideally everyone (maintainers, release team,
> etc)
> 2. Uploads are done using:
>    a. rsync over ssh using rrsync; this restricts what you can upload
>    b. something like: ssh master.gnome.org install-module
>    c. the install-module command looks at what you uploaded and then
>    calls ftpadmin on it
>    Problem:
>    a. rsync might be annoying / unreliable
>    b. don't think you can delete easily with rsync
>    c. more annoying than e.g. sftp or scp
>    Benefit:
>    a. rsync over ssh is easy to secure

I may be wrong but IIRC ssh can be configured to allow only scp
connections. Maybe solution would be (instead of rsync):

 - Allow scp
 - Allow install-module as default (and only) login shell

> 3. Access is determined using "doap" files

Hmm. Isn't access to git open to everyone who have key? The malicious
attacker who compromise account one of 350+ user may alter the doap file
(I guess it would be much easier to miss then say unexpected release
which is followed by public e-mail).

Regards



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]