Hi Kaleb, just replying to get the mail into the Debian BTS. Please keep [EMAIL PROTECTED] in the CC about this topic.
I’m not testing these now, but maybe the scponly package maintainer will. Greetings, Joachim Am Dienstag, den 04.09.2007, 13:38 -0700 schrieb Kaleb Pederson: > Hello, > > If you are familiar with rsync and unison and use them with scponly, please > take a look at the comments at the bottom of the bug report and test with the > latest CVS -- specifically options that use configuration files that can't be > identified on the command line. I had trouble finding adequate documentation > on unison, so testing in that area is appreciated. > > Aside from specifying which commands might have the right to execute by using > an LD_PRELOAD mechanism, I'm not sure if there is much that can be done. > > We have fairly recently refined the rsync support to disallow starting it as > a > daemon, and a few other things that could also cause problems, so I believe > it won't accept a config file on the command line, etc., and I believe it to > be safe at this point. > > Furthermore, in light of comments on the debian list, I just > disallowed --editor-cmd, --diff-cmd, and --config-dir... but that still > doesn't help with the editor cmd and diff cmd being specified in config > files. > > As far as we know, a system secured using the practices set forth in the > security guide will be secure. If there are other best practices that can be > added to it, or you have other suggestions and/or comments, please let us > know. > > Thanks. > > --Kaleb > > On Tuesday 04 September 2007, Joachim Breitner wrote: > > Hi, > > > > please read through: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=437148 > > > > Basically: Allowing svn or svnserve is unsafe. > > > > Greetings, > > Joachim > -- Joachim "nomeata" Breitner Debian Developer [EMAIL PROTECTED] | ICQ# 74513189 | GPG-Keyid: 4743206C JID: [EMAIL PROTECTED] | http://people.debian.org/~nomeata
