Re: How to programmatically restrict a /bin/rm command in a repository?

[Larry Jones]

Christopher Rumpf writes:
> 
> This is a multi-part message in MIME format.

Please do not send MIME and/or HTML encrypted messages to the list.
Plain text only, PLEASE!

> I have some developers who simply refuse to use the 'cvs rm', 'cvs
> delete' and 'cvs remove' commands.  Instead they log into the CVS server
> (using SSH), cd into the repository and /bin/rm the ,v files which they
> are concerned about.  (yikes!)

You can configure sshd to only let them run cvs and not other commands
(including a generic login).  See the ssh documentation for details.

-Larry Jones

I like maxims that don't encourage behavior modification. -- Calvin


___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs

Re: How to programmatically restrict a /bin/rm command in a repository?

[Rob Helmer]

Yeesh. Have you explained why this is wrong, that they are losing
history when they do this, and the potential for irreversable accidents? 
It's better to rule by consensus than by fiat.. not to say you can't
persuade them to agree with you AND refuse to allow them full access.

Is it acceptable to remove their regular login shell? They are 
obviously abusing their access, and if so it makes this restriction
pretty easy.

The only command they need to be able to run to access the CVS
server via SSH is "cvs server". You could make a pretty trivial
shell script that's used as a login shell, which only allows
that command to be executed.



HTH,
Rob


On Tue, Sep 02, 2003 at 05:24:53PM -0400, Christopher Rumpf wrote:
> Hi there.
> 
>  
> 
> I have some developers who simply refuse to use the 'cvs rm', 'cvs delete'
> and 'cvs remove' commands.  Instead they log into the CVS server (using
> SSH), cd into the repository and /bin/rm the ,v files which they are
> concerned about.  (yikes!)
> 
>  
> 
> Removing their cvs write permissions is not a solution which will work as
> most of these people are major contributors.
> 
>  
> 
> Has anyone encountered this before and how did you solve it?  The only way I
> can think (right now) is to write  a script that will run for every single
> /bin/rm command which will first make sure that the repository path is not
> in the path to be deleted.  This seems very inefficient.
> 
>  
> 
> Is there an easier way using UNIX groups and/or some other Unix admin
> command or trick I don't know of?
> 
>  
> 
> Thanks!
> 
>  
> 
> /* ---
> 
>  Christopher Rumpf
> 
>  786.385.3892:MOBILE
> 
>  305.860.4461:FAX
> 
>  MrRumpf:YIM
> 
> --- */
> 
>  
> 

> ___
> Info-cvs mailing list
> [EMAIL PROTECTED]
> http://mail.gnu.org/mailman/listinfo/info-cvs



___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs

Re: How to programmatically restrict a /bin/rm command in a repository?

[Eric Siegerman]

On Tue, Sep 02, 2003 at 05:24:53PM -0400, Christopher Rumpf wrote:
> I have some developers who simply refuse to use the 'cvs rm', 'cvs delete'
> and 'cvs remove' commands.  Instead they log into the CVS server (using
> SSH), cd into the repository and /bin/rm the ,v files which they are
> concerned about.  (yikes!)

Configure SSH to prevent them from getting interactive sessions.
Restrict these bozos to exactly one command: "cvs server".

> The only way I
> can think (right now) is to write  a script that will run for every single
> /bin/rm command which will first make sure that the repository path is not
> in the path to be deleted.  This seems very inefficient.

And hopelessly insecure.  What's to prevent them from going
behind your script's back to the real rm command -- or writing
their own delete-file command?

--

|  | /\
|-_|/  >   Eric Siegerman, Toronto, Ont.[EMAIL PROTECTED]
|  |  /
When I came back around from the dark side, there in front of me would
be the landing area where the crew was, and the Earth, all in the view
of my window. I couldn't help but think that there in front of me was
all of humanity, except me.
- Michael Collins, Apollo 11 Command Module Pilot



___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs

Re: How to programmatically restrict a /bin/rm command in a repository?

[Greg A. Woods]

[ On Tuesday, September 2, 2003 at 17:24:53 (-0400), Christopher Rumpf wrote: ]
> Subject: How to programmatically restrict a /bin/rm command in a repository?
>
> I have some developers who simply refuse to use the 'cvs rm', 'cvs delete'
> and 'cvs remove' commands.  Instead they log into the CVS server (using
> SSH), cd into the repository and /bin/rm the ,v files which they are
> concerned about.  (yikes!)

If you can't retrain them using external policy enforcement (peer
pressure, management directives, etc.) then I'd suggest replacing
/bin/rm on that system with a program that fails with a nice explanitory
message if it finds itself being told to remove any file within your
repository.

> Has anyone encountered this before and how did you solve it?

Most of the time I've found it sufficient to tell such people that if
they don't stop doing such things then they'll be fired on the spot,
plain and simple (and in those cases either I am effectively management,
or at least I have management firmly on my side).

>  The only way I
> can think (right now) is to write  a script that will run for every single
> /bin/rm command which will first make sure that the repository path is not
> in the path to be deleted.

You need to check the current working directory and chase down relative
paths too.

>  This seems very inefficient.

Inefficient?  In what way?

It's not a perfect or unbeatable solution of course (a good programmer
or even a talented non-programmer can probably find a dozen more ways to
remove a file), but somehow you have to get the point across to them and
hopefully you can do it in such a way that they'll learn from their
mistakes and not simply stomp off in a huff.

In fact you probably don't even want to appear to be trying to make it
perfect or unbreakable -- you just want them to know that messing with
files directly in the repository is forbidden except in very special
circumstances, and only with the direct permission and participation of
the repository manager.

CVS is not a security tool and indeed any application like it must
either work like Fort Knox and take on all security responsibility
itself or else rely on external policy enforcement (e.g. peer pressure,
education, threat of losing your job, etc.) in order to maintain data
integrity.  Most collaborative Unix/POSIX based distributed applications
cannot successfully work like Fort Knox and shouldn't even try to do so.

> 

Please DO NOT EVER send HTML, rich text, or otherwise stylized e-mail,
especially not to me or to any public mailing list.  Not all mail
readers will recognize such formats, and their added volume is generally
a total waste of bandwidth, storage, and processing power for everyone.
HTML in particular is a potential security threat and many firewalls and
some mailing lists filter it entirely -- especially since CERT and
Microsoft have jointly anounced a very major flaw in the HTML rendering
engine used in all Microsoft products (in versions still widely in use,
and which isn't even properly fixed in the most recent releases).

For more information see, for instance, the following articles:

http://www.georgedillon.com/web/html_email_is_evil.shtml

http://www.georgedillon.com/web/html_email_is_evil_still.shtml

http://www.greydragon.org/library/email_list_etiquette.html

Please send all your messages as plain text only.


-- 
Greg A. Woods

+1 416 218-0098  VE3TCPRoboHack <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>  Secrets of the Weird <[EMAIL PROTECTED]>


___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs

Re: How to programmatically restrict a /bin/rm command in a repository?

[Mark]

Christopher Rumpf wrote:

> I have some developers who simply refuse to use the ‘cvs rm’, ‘cvs 
> delete’ and ‘cvs remove’ commands.  Instead they log into the CVS server 
> (using SSH), cd into the repository and /bin/rm the ,v files which they 
> are concerned about.  (yikes!)

> Removing their cvs write permissions is not a solution which will work 
> as most of these people are major contributors.

> Has anyone encountered this before and how did you solve it?  The only 
> way I can think (right now) is to write  a script that will run for 
> every single /bin/rm command which will first make sure that the 
> repository path is not in the path to be deleted.  This seems very 
> inefficient.

> Is there an easier way using UNIX groups and/or some other Unix admin 
> command or trick I don’t know of?

If your using CVS in a local firewall protected (not over the 
internet) network, you could use a non-root pserver, cvs run by a 
regular system user like "pserver" instead of root in inetd.conf and 
have only that account have any type of write access to the 
repository file system.

If there is a way with ssh, I would like to now about it as well.

Mark


__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs

RE: How to programmatically restrict a /bin/rm command in a repository?

[Zieg, Mark]

>  I have some developers who simply refuse to use the 'cvs rm',
> 'cvs delete' and 'cvs remove' commands.  Instead they log into 
> the CVS server (using SSH), cd into the repository and /bin/rm
> the ,v files which they are concerned about.  (yikes!)

You'll hear many replies along these lines, but what you've described is
a firing offense in my company (and the last company I worked for, too).

Programmers who deliberately destroy a project's CM history are
destroying company property and circumventing an essential
risk-management process.  Those employees need to be made to understand,
unambiguously, that destruction of company IP will result in their
immediate termination.

There are plenty of skilled programmers in the job market who understand
this already, and would be happy to replace any prima donnas who
consider themselves above such concerns.


___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs

RE: How to programmatically restrict a /bin/rm command in a repository?

[Sergey Gurov]

You may look here:

And there:
 http://www.sublimation.org/scponly/ 

for some ideas on how to restrict ssh user's access.

Sergey.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Christopher Rumpf
Sent: Wednesday, September 03, 2003 1:25 AM
To: [EMAIL PROTECTED]
Subject: How to programmatically restrict a /bin/rm command in a
repository?


Hi there.

I have some developers who simply refuse to use the 'cvs rm', 'cvs
delete' and 'cvs remove' commands.  Instead they log into the CVS server
(using SSH), cd into the repository and /bin/rm the ,v files which they
are concerned about.  (yikes!)

Removing their cvs write permissions is not a solution which will work
as most of these people are major contributors.

Has anyone encountered this before and how did you solve it?  The only
way I can think (right now) is to write  a script that will run for
every single /bin/rm command which will first make sure that the
repository path is not in the path to be deleted.  This seems very
inefficient.

Is there an easier way using UNIX groups and/or some other Unix admin
command or trick I don't know of?

Thanks!

/* ---
 Christopher Rumpf
 786.385.3892:MOBILE
 305.860.4461:FAX
 MrRumpf:YIM
--- */



___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs

Re: How to programmatically restrict a /bin/rm command in a repository?

[Matthew . Riechers]

Christopher Rumpf wrote:
> 
> Hi there.
> 
> 
> 
> I have some developers who simply refuse to use the ‘cvs rm’, ‘cvs
> delete’ and ‘cvs remove’ commands.  Instead they log into the CVS
> server (using SSH), cd into the repository and /bin/rm the ,v files
> which they are concerned about.  (yikes!)

This is really a policy enforcement issue, and would best be handled
"politically". As far as a potential technical solution, I think you can
restrict the SSH connection to a given command (but I have never tried
this).

-Matt


___
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs