[ On Friday, August 11, 2000 at 10:47:36 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory
>
> No, they only have write access to small parts of it.
Any, and *ALL* of those parts are ultimately what you're trying to
protect in the first place. Without accountability you may as well not
have authentication and authorisation in the first place since you
*MUST* rely entirely on auditing the integrity of those things after the
fact.....
> There's zero accountability with ssh too. People just have to sound like
> they're nice and competent developers and have an email address that works.
Wrong. SSH has strong authentication, which means that in a properly
configured Unix server environment it offers you strong accountability
Maybe not as strong as in a B1-secure system, or even a C2-secure system
(if your Unix server isn't already nearly C2-secure), but the point is
that it really really really does offer good accountability -- it
matters not how much you deny it since you are clearly wrong and many
people can show you this fact!
> And how are they going to do that, since *BSD Mail is not in the chroot?
> There are *NO* setuid binaries in my chroot.
You don't need setuid binaries to compromise something you already have
write access to..... DUH!
> This is the internet, Greg. Nobody really knows who anybody else is. Sure,
> we both live in Toronto and I could exchange some public key with you, but
> that's not a general solution for a worldwide accessible repository.
>
> It would be nice if use of PGP was widespread and the "web of trust"
> actually existed and such... but it isn't and it doesn't so we're stuck.
There are many other ways to establish identity and to establish trust.
PGP might not even be the best way (though it is far more widespread
than you seem to think it is!).
The important thing is that if you don't even try then all your other
efforts are for naught, and not only that but they may actually be
detrimental to your security because they offer a challenge!
If you don't even try to establish identity and trust then you should
give up and just offer wide open shell accounts and foster a
community-based form of trust -- I.e. go back to the very basics of
human nature and let people work out how they can trust each other right
from the ground up.
Please do visit www.pulltheplug.com and have a look at the open lab
they've set up for anonymous computing!
> Sure, all kinds of things work when you have the professional software
> development shop training wheels attached to your CVS repository.
>
> But now you're on the internet, and all this clap trap doesn't work. Now
> you need real security, since all your authentication schemes don't really
> amount to a hill of beans.
I did not throw the baby out with the bath water. I still establish
identity and trust in the old fashioned ways. I.e. I can make valid use
of virtual identities and strong authentication. I can hold my users
accountable! I do have a security policy!
> But, being able to limit how much of the repository the attacker can access
> does matter to me. And, if they are contained in the repository the real
> victory is that they are not root: which means they can't do anything to
> hide their tracks. So I can clean up after them--it helps with recovery
> that I can stare in at them from the outside of the repository and see
> what they are doing.
Well if it matters then you are stuck with establishing identity and
with using strong authentication.
> You are the only one on this list who can't see the improvement offered
> by the chroot. There are lots of people who may think pserver is too big
> a risk to take, but other than you, they aren't arguing against chroot.
you can put every file in a separate directlory and chroot everyone into
isolated directories so that they can only affect the integrity of one
file at a time and you've still gained nothing without adding
accountability to the picture!
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
