Re: RFC: Securing maintainer uploads to master.gnome.org

From: Maciej Marcin Piechotka <uzytkownik2 gmail com>
To: Olav Vitters <olav vitters nl>
Cc: desktop-devel-list gnome org
Subject: Re: RFC: Securing maintainer uploads to master.gnome.org
Date: Thu, 10 Nov 2011 15:19:07 +0000

On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote:
> Loads of people currently have access to master.gnome.org as to upload
> tarballs. This is currently done by handing out shell access to these
> people.
> 
> If any of the 350+ has their machine compromised, someone could easily
> use that to reach shell on master.gnome.org. I don't want that to be
> possible.
> 

+1

> My thoughts to secure this is:
> 1. Get rid of shell for ideally everyone (maintainers, release team,
> etc)
> 2. Uploads are done using:
>    a. rsync over ssh using rrsync; this restricts what you can upload
>    b. something like: ssh master.gnome.org install-module
>    c. the install-module command looks at what you uploaded and then
>    calls ftpadmin on it
>    Problem:
>    a. rsync might be annoying / unreliable
>    b. don't think you can delete easily with rsync
>    c. more annoying than e.g. sftp or scp
>    Benefit:
>    a. rsync over ssh is easy to secure

I may be wrong but IIRC ssh can be configured to allow only scp
connections. Maybe solution would be (instead of rsync):

 - Allow scp
 - Allow install-module as default (and only) login shell

> 3. Access is determined using "doap" files

Hmm. Isn't access to git open to everyone who have key? The malicious
attacker who compromise account one of 350+ user may alter the doap file
(I guess it would be much easier to miss then say unexpected release
which is followed by public e-mail).

Regards

Follow-Ups:
- Re: RFC: Securing maintainer uploads to master.gnome.org
  - From: Olav Vitters

References:
- RFC: Securing maintainer uploads to master.gnome.org
  - From: Olav Vitters

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]