Re: Security incident on Alioth and other Alioth news

[Henrique de Moraes Holschuh <hmh@debian.org>]

On Wed, 06 Sep 2006, Raphael Hertzog wrote:
> Running svn/bzr/arch/git on a separate machine adds very little security
> since all the accounts of costa are copies of the accounts on alioth. And

Time to fix that, then.

> If the attacker gets root rights after having compromised a web
> application, he will have access to the password database and will
> be able to crack them or simply change a password from a rarely used

Just remove all password-based shell access, make it key-based only.

Of course, to really close the hole, you need to periodically hunt down
irresponsible users that upload gpg and ssh private keys to their accounts
(password-protected or not, it doesn't matter).

> If he doesn't get more rights than www-data, he won't be able to do
> anything to the VCS repositories.

However, getting more rights is just a matter of waiting for the next kernel
exploit (just like the attacker did in the last @d.o compromise before
Alioth).  Unless Alioth updates kernels now on a very narrow time window,
that even our security team is not capable of meeting?

> The reason why we moved svn.debian.org to a separate machine was more a
> disk and ressource issue than a security one. 

Well, maybe it is time to consider improving the security setup instead of
making it worse...  And that will be that much easier if the repositories
are not sharing a box with the rest of gforge and user applications.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh