restricting shell access on svn.dslinux.in-berlin.de
stsp at stsp.in-berlin.de
Tue Mar 20 21:52:51 CET 2007
as some of you know I am co-administrating the CVS/SVN server at
in-berlin which also hosts the DSLinux subversion repository.
Currently, everyone who has commit access on the server
via svn+ssh can run a shell on the server.
So far, we were more or less the only project on the box, so
this wasn't really an issue since I trust you guys, but
there will probably be more projects in the future, so
the number of users on the box might grow.
So in an effort to make the box more secure, I am looking into
restricting shell access for committers. The current plan
is to use the "command=" feature in ~/.ssh/authorized_keys,
which restricts a user logged in via ssh to run a single
fixed command only.
I've run a few tests and it seems that setting
command="/usr/sbin/svnserve -t" in a committer's ~/.ssh/authorized_keys
file does not reduce svn functionality, but prevents the committer from
running a shell on the box (I've tested import, commit, log, diff,
Long story short:
I will use you guys as test monkeys ;-)
I will place this restriction in your authorized_keys files tonight.
If there are any problems accessing the repository, please let me know,
I will try to fix them asap or find a better way of doing this
if there are problem with the authorized_keys file approach.
http://stsp.in-berlin.de PGP Key: 0xF59D25F0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Desc: not available
Url : http://mailman.dslinux.in-berlin.de/pipermail/dslinux-devel-dslinux.in-berlin.de/attachments/20070320/233f5af2/attachment.pgp
More information about the dslinux-devel