On Thu, 2011-11-10 at 12:47 +0100, Olav Vitters wrote: > Loads of people currently have access to master.gnome.org as to upload > tarballs. This is currently done by handing out shell access to these > people. > > If any of the 350+ has their machine compromised, someone could easily > use that to reach shell on master.gnome.org. I don't want that to be > possible. >
+1 > My thoughts to secure this is: > 1. Get rid of shell for ideally everyone (maintainers, release team, > etc) > 2. Uploads are done using: > a. rsync over ssh using rrsync; this restricts what you can upload > b. something like: ssh master.gnome.org install-module > c. the install-module command looks at what you uploaded and then > calls ftpadmin on it > Problem: > a. rsync might be annoying / unreliable > b. don't think you can delete easily with rsync > c. more annoying than e.g. sftp or scp > Benefit: > a. rsync over ssh is easy to secure I may be wrong but IIRC ssh can be configured to allow only scp connections. Maybe solution would be (instead of rsync): - Allow scp - Allow install-module as default (and only) login shell > 3. Access is determined using "doap" files Hmm. Isn't access to git open to everyone who have key? The malicious attacker who compromise account one of 350+ user may alter the doap file (I guess it would be much easier to miss then say unexpected release which is followed by public e-mail). Regards _______________________________________________ desktop-devel-list mailing list desktop-devel-list@gnome.org http://mail.gnome.org/mailman/listinfo/desktop-devel-list