Re: CVS and SSH

To: debian-user@lists.debian.org
Subject: Re: CVS and SSH
From: christophe barbé <christophe.barbe.ml@online.fr>
Date: Wed, 27 Mar 2002 18:41:17 -0500
Message-id: <[🔎] 20020327234117.GG25575@localhost>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 0203271413470F.17380@virtual.theo.phys.ulg.ac.be>
References: <[🔎] 20020311200215.GA334@insomnia> <[🔎] 20020312014224.GA2567@kitenet.net> <[🔎] 0203271413470F.17380@virtual.theo.phys.ulg.ac.be>

On Wed, Mar 27, 2002 at 02:13:47PM +0100, G. Soyez wrote:
> On Mårdi 12 Måss 2002 02:42, Joey Hess wrote:
> > Sven Gaerner wrote:
> > > I've got a (hopefully) little proble.m. I want to grant some people
> > > CVS access to my machine. They should connect by using SSH but I don't
> > > want to give them a shell. They should be able to use CVS with SSH but
> > > without logging in to my machine.
> > >
> > > Does anyone have an idea how to get this working?
> > >
> > > Please CC any answers to me because I'm not subscribed.
> >
> > Are these people going to be able to commit to the repository or not?
> >
> > If not, it's easy: http://kitenet.net/programs/sshcvs
> >
> > If they need to be able to commit too, it becomes much harder, since cvs
> > is not designed to prevent committers from getting shell access, in
> > general. You need to make sure they cannot commit to certian files in
> > CVSROOT which shell code can be put into (I've seen this used to get
> > shell access to sourceforge, though they may have closed that hole now).
> 
> Couldn't you just replace the command launching the shell (e.g. /bin/bash in 
> /etc/passwd) by some simple script telling that connection is refused ?
> In such a way, connection is allowed but offers no shell.

As I understand Joey, here he tries to warm against a user getting shell
access after comiting changes in CVSROOT. It seems not difficult to
exploit. 
Simply staring the user password should be enough to prevent him using
the shell the normal way.

Would it be possible to chroot cvs ?

Christophe

> 
> -- 
> Grégory Soyez
> Université de Liège
> Institut de Physique 
> Allée du VI Août, Bât B5
> B-4000 Sart-Tilman LIEGE 1
> Tel : +32 (0)4 366 36 04
> Fax: +32 (0)4 366 36 72
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 
Christophe Barbé <christophe.barbe@ufies.org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E

Cats are rather delicate creatures and they are subject to a good
many ailments, but I never heard of one who suffered from insomnia.
--Joseph Wood Krutch

Attachment: pgpjyjw45NeA2.pgp
Description: PGP signature

Reply to:

References:
- CVS and SSH
  - From: Sven Gaerner <sgaerner@gmx.de>
- Re: CVS and SSH
  - From: Joey Hess <joey@kitenet.net>
- Re: CVS and SSH
  - From: G.Soyez <g.soyez@ulg.ac.be>

Prev by Date: Re: [OT] Re: CALL FOR HELP
Next by Date: Re: OT crossover cable speed
Previous by thread: Re: CVS and SSH
Next by thread: CVS over SSL wont authenticate. Plain CVS is fine
Index(es):
- Date
- Thread