Hi there
On Mon, Jun 27, 2011 at 11:17 AM, Marius Mårnes Mathiesen
<marius.mathie...@gmail.com> wrote:
> On Sun, Jun 26, 2011 at 10:16 AM, martin <mar...@siamect.com> wrote:
>> I don't understand why you are concerned about the dedicated git user
>> account... just lock it down properly. You have exactly the same
>> situation on every ssh server on the planet.
>
> As I mentioned above, I suspect most users running their own Gitorious
> servers have sshd running as the root user, since otherwise they'd need a
> separate IP address/port in order to do maintenance on their servers. I
> don't think it's reasonable to assume people looking for a way to
> collaborate on code have experience in locking down a SSH daemon on their
> server.
Since this came up several times now: Can you explain that part? I
wonder if you'd consider my environment at risk.
Looking at man sshd_config I think I'm fine:
UsePrivilegeSeparation
Specifies whether sshd(8) separates privileges by
creating an unprivileged child process to deal
with incoming network traffic. After successful
authentication, another process will be created that
has the privilege of the authenticated user. The goal of
privilege separation is to prevent privilege
escalation by containing any corruption within the
unprivileged processes. The default is “yes”.
But maybe I'm not understanding the concern. So I am running ssh as
root (like most users, as you said), but it seems to be the default to
enable privilege separation, which kind of ends up doing what you do
manually: It runs the network facing service unprivileged.
Regards,
Ben
--
To post to this group, send email to gitorious@googlegroups.com
To unsubscribe from this group, send email to
gitorious+unsubscr...@googlegroups.com
