On 17 Nov 2014 18:52, "Martin Pool" <m...@sourcefrog.net> wrote: > > Hi, Sebastian, > > I don't recall the exact command, but it's probably going to be `distccd --inet ...something...`. You might be able to see it in the distcc verbose log. > > Being able to restrict the command would be good. > > However the main problem with this approach is that distccd in turn executes a client-supplied command, and it at the moment doesn't have a way to limit that.
Actually we do have a way to limit that, via commands.allow.sh which is executed by /etc/init.d/distccd and which sets environment variables used by distccd. See the following extract from the distccd man page: ----- *ENVIRONMENT VARIABLES* *DISTCC_**CMDLIST* If the environment variable DISTCC_CMDLIST is set, load a list of supported commands from the file named by DISTCC_CMDLIST, and refuse to serve any command whose last DISTCC_CMDLIST_MATCHWORDS last words do not match those of a command in that list. See the comments in src/serve.c. *DISTCC_**CMDLIST**_**NUMWORDS* The number of words, from the end of the command, to match. The default is 1. ---- > Two complementary things we could do: > - run distcc within a chroot/container that contains only the compiler - ideally, provide a reusable way for other people to set this up - at least documentation, maybe a script > - give distccd restrictions on what commands it can run > > > On Sun Nov 09 2014 at 7:29:12 AM Sebastian Wieseler < sebast...@nanofortnight.org> wrote: >> >> Hello Distcc List, >> >> I followed the guide http://wiki.gentoo.org/wiki/Distcc to get Distcc to work with SSH. >> That should work as followed: >> /usr/bin/distcc-config --set-hosts "@test1" >> >> I just wondering how to limit the portage user to get a real SSH shell on the "compiling box". >> There should be a way with the .authorized_keys and the command="…" parameter for the SSH key. >> >> What command will be exactly executed on the remote host within the distcc call? >> To just specify command="/usr/bin/distcc" does not work for example. >> >> Is there a way to make this even more secure? I couldn't find any information on this on the web. >> Thanks for helping. >> >> Best Regards, >> Sebastian 'kickino' >> -- >> ,= ,-_-. =. /"\ >> ((_/)o o(\_)) \ / ASCII Ribbon Campaign >> `-'(. .)`-' && X against HTML e-mail >> \_/ / \ >> >> >> __ >> distcc mailing list http://distcc.samba.org/ >> To unsubscribe or change options: >> https://lists.samba.org/mailman/listinfo/distcc > > > __ > distcc mailing list http://distcc.samba.org/ > To unsubscribe or change options: > https://lists.samba.org/mailman/listinfo/distcc
__ distcc mailing list http://distcc.samba.org/ To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/distcc