Re: Security incident on Alioth and other Alioth news

[Raphael Hertzog <hertzog@debian.org>]

Hi,

On Wed, 06 Sep 2006, Henrique de Moraes Holschuh wrote:
> On Wed, 06 Sep 2006, Raphael Hertzog wrote:
> > This move will let us merge costa.d.o (svn/bzr/arch/git.d.o), and haydn.d.o
> > (alioth.debian.org) on a single host. This also means that the transition can't
> 
> Thus guaranteeing that futher security incidents on a host that allows
> people to install software are now going to affect the version control
> systems.
> 
> Please reconsider.  svn/bzr/arch/git.d.o should run on an audited machine,
> where we have little access other than enough to do local repository
> maintenance, and where no untrusted software is allowed.

Running svn/bzr/arch/git on a separate machine adds very little security
since all the accounts of costa are copies of the accounts on alioth. And
the shell access is needed to be able to commit, to setup notifications,
and to make private backups.

If the attacker gets root rights after having compromised a web
application, he will have access to the password database and will
be able to crack them or simply change a password from a rarely used
account and wait for it to be propagated to the other machine.
If he doesn't get more rights than www-data, he won't be able to do
anything to the VCS repositories.

The reason why we moved svn.debian.org to a separate machine was more a
disk and ressource issue than a security one. 

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/