[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[eclipse.org-committers] Shell access to Eclipse servers - update
|
All,
I just wanted to update you on the shell restriction that is currently
in place.
Although our vendor has not provided us with more information on the
exploit, after some testing I am reasonably confident that our core
servers (dev/build) are not vulnerable to this exploit. We are now
re-enabling shell access to those who MUST HAVE a shell on our servers.
To get your shell back, please go to the portal and fill out the
required information:
http://portal.eclipse.org/
I realize that this restriction may have caused you some grief; however,
I considered it absolutely necessary. I have never seen such an
easy-to-exploit vulnerability which yielded root privileges on Linux.
With an ordinary shell account, I was able to obtain 'root' access on my
Linux computers at home in mere minutes by simply compiling and running
code that is publicly available. Please understand this is not about
trusting our committers. It's about giving access only to those who
need it, in order to protect us from any hijacked accounts, and to
protect the Eclipse community's investment in our source repositories,
bugzilla, mail and other data.
For those with vservers, using an iptables firewall to restrict ssh
access to trusted IPs is a very good start. The actual vulnerability,
as well as the exploit code, can be found here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
Again, I thank you for your understanding.
Denis, Matt and Karl.