[Python-Dev] PEP: Migrating the Python CVS to Subversion
Barry Warsaw
barry at python.org
Sat Jul 30 00:12:16 CEST 2005
On Fri, 2005-07-29 at 17:19, "Martin v. Löwis" wrote:
> I believe this alone either won't work or won't be good enough (not
> sure which one): If you have /bin/false as login shell, and still
> manage to invoke /usr/bin/svnserve remotely, you can likely also
> invoke /usr/bin/cat /etc/passwd remotely (or download and build
> the root exploit via ssh).
>
> So you would have restrict the set of valid programs to *only*
> svnserve. This is possible, but difficult to manage (AFAIK).
I think that's basically right.
> - on Linux, my issue is that .subversion is on NFS, so any root
> user in our net can connect to the file. Therefore, I copy
> the .p12 file to /tmp/private_dir, and remove the passphrase
> there. No other machine can read the file (as /tmp is not
> exported), and the file goes away after machine shutdown
> latest (as tmp is cleaned on reboot).
I don't think that's true on all Linuxes though (or even all *nixes).
-Barry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://mail.python.org/pipermail/python-dev/attachments/20050729/e917d527/attachment.pgp
More information about the Python-Dev
mailing list