On Wednesday, August 9, Justin Wells wrote:
> On Wed, Aug 09, 2000 at 02:12:50PM -0400, Greg A. Woods wrote:
> > [ On Wednesday, August 9, 2000 at 11:51:34 (-0400), Justin Wells wrote: ]
> > If you grant trust to an untrustworthy party then that's got nothing to
> > do with SSH or CVS!
>
> That's your professional software shop training wheels speaking. In the
> real world I don't really know these people all that well and I do have
> to prepare for the very real possibility that I might be fooled into
> granting access to an untrustworthy person.
How is granting access via pserver (chroot()'ed or not) any different from
using SSH (or anything else for that matter) here? If the individual is
not trustworthy, they will be able to wreak havoc either way.
The issue is one of risk, given a reasonably trustworthy client. pserver
is, at least IMHO, a totally unacceptable risk. Passwords in the clear,
not integrity on the connection (save sequence numbers, which are easy
to take over), and no real "authentication" to speak of. Here you not only
have to worry about the potentially bad client you let into your lair, but
also the 1000's of script-kiddies out there not knowing what to do with
their right hand on a "boring day off school". Why would you want to take
that particular risk?
> If that doesn't fit into your pretty little security analysis worldview
> tough--it's a real, practical, actual problem that I face.
And this problem is? That you feel "uncomfortable" with having these people
potentially have access to things outside the repository? Potentially to
competing repositories? You maintain that there is nothing of "importance"
on this machine, yet you keep on trying to "restrain" the users from some
sort of information. I'm a little confused, which one is it now?
> When viewed this way my pserver setup is FAR more secure than your ssh
> setup, because my setup limits the risk I face when someone fools me
> into authorizing their access even though they prove to be untrustworthy.
With respect to what? To the system? You maintain that the system is easy
and quick to re-install, and that you may do so on a weekly basis anyhow,
since there is nothing of "value" on it to keep.
So the only thing that could constitute risk is some repo. If it is another
repo (from the view of one client), then that is system data (since they do
not have access to it) which happens to have value (hence the risk). Therefore
you don't have a system that has "nothing of importance" on it. If on the
other hand you are talking about risk within a repo, then your argument makes
little sense again, since CVS itself can be used quite effectively, without
needing any sort of shell access, to wreak havoc within a repo.
> Your schemes inability to cope with this ugly property of real life is
> one of the biggest nails in its coffin.
The schemes which both Greg and I (among others) have pointed out are as
likely to deal with these scenarios. The only point where I concede to
some "trouble", is on the client side, where I fail to see anything short
of education (and maybe even blunt refusal to cooperate) will make people
realize the risk they are taking by using pserver.
--Toby.
