Thanks, Fergus. But how do those variables get set if it's invoked over ssh?
On Tue, Nov 18, 2014 at 1:15 AM, Fergus Henderson <fer...@google.com> wrote: > > On 17 Nov 2014 18:52, "Martin Pool" <m...@sourcefrog.net> wrote: > > > > Hi, Sebastian, > > > > I don't recall the exact command, but it's probably going to be `distccd > --inet ...something...`. You might be able to see it in the distcc verbose > log. > > > > Being able to restrict the command would be good. > > > > However the main problem with this approach is that distccd in turn > executes a client-supplied command, and it at the moment doesn't have a way > to limit that. > > Actually we do have a way to limit that, via commands.allow.sh which is > executed by /etc/init.d/distccd and which sets environment variables used > by distccd. > > See the following extract from the distccd man page: > > ----- > *ENVIRONMENT VARIABLES* > > *DISTCC_**CMDLIST* > If the environment variable DISTCC_CMDLIST is set, load a list of > supported commands from the file named by DISTCC_CMDLIST, and refuse to > serve any command whose last DISTCC_CMDLIST_MATCHWORDS last words do not > match those of a command in that list. See the comments in src/serve.c. > > *DISTCC_**CMDLIST**_**NUMWORDS* > The number of words, from the end of the command, to match. The default is > 1. > ---- > > > Two complementary things we could do: > > - run distcc within a chroot/container that contains only the compiler - > ideally, provide a reusable way for other people to set this up - at least > documentation, maybe a script > > - give distccd restrictions on what commands it can run > > > > > > On Sun Nov 09 2014 at 7:29:12 AM Sebastian Wieseler < > sebast...@nanofortnight.org> wrote: > >> > >> Hello Distcc List, > >> > >> I followed the guide http://wiki.gentoo.org/wiki/Distcc to get Distcc > to work with SSH. > >> That should work as followed: > >> /usr/bin/distcc-config --set-hosts "@test1" > >> > >> I just wondering how to limit the portage user to get a real SSH shell > on the "compiling box". > >> There should be a way with the .authorized_keys and the command="…" > parameter for the SSH key. > >> > >> What command will be exactly executed on the remote host within the > distcc call? > >> To just specify command="/usr/bin/distcc" does not work for example. > >> > >> Is there a way to make this even more secure? I couldn't find any > information on this on the web. > >> Thanks for helping. > >> > >> Best Regards, > >> Sebastian 'kickino' > >> -- > >> ,= ,-_-. =. /"\ > >> ((_/)o o(\_)) \ / ASCII Ribbon Campaign > >> `-'(. .)`-' && X against HTML e-mail > >> \_/ / \ > >> > >> > >> __ > >> distcc mailing list http://distcc.samba.org/ > >> To unsubscribe or change options: > >> https://lists.samba.org/mailman/listinfo/distcc > > > > > > __ > > distcc mailing list http://distcc.samba.org/ > > To unsubscribe or change options: > > https://lists.samba.org/mailman/listinfo/distcc > -- Martin
__ distcc mailing list http://distcc.samba.org/ To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/distcc