Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

[Tobias Weingartner]

On Wednesday, August 9, "Derek R. Price" wrote:
> Tobias Weingartner wrote:
> 
> > On Wednesday, August 9, Justin Wells wrote:
> > >
> > > If I move to ssh, I will definately still be using chroot. Even on a
> > > box where there's nothing else important there is no justification for
> > > giving away full fledged shells to people who don't need them.
> >
> > Have a look at anoncvssh, with a rough 3-line change in that source code,
> > it can be substituted as a shell for most CVS users.  No need to give
> > full shell access, although I would treat each and every CVS access (short
> > of full anoncvs access on a dedicated box) as being a full shell login
> > anyhow, due to possible funky things being done with CVSROOT/* scripts...
> 
> Bash2 has a built-in restricted mode as well.  You just run it as rbash or
> with a '-r' option.  Read the man page.  It might be what you're looking for.

Bad idea.  It's usually trivil to circumvent a restricted shell of this sort...

--Toby.