Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[eclipse.org-committers] Shell access to Eclipse servers - update

All,

I just wanted to update you on the shell restriction that is currently in place.

Although our vendor has not provided us with more information on the exploit, after some testing I am reasonably confident that our core servers (dev/build) are not vulnerable to this exploit. We are now re-enabling shell access to those who MUST HAVE a shell on our servers. To get your shell back, please go to the portal and fill out the required information:

    http://portal.eclipse.org/

I realize that this restriction may have caused you some grief; however, I considered it absolutely necessary. I have never seen such an easy-to-exploit vulnerability which yielded root privileges on Linux. With an ordinary shell account, I was able to obtain 'root' access on my Linux computers at home in mere minutes by simply compiling and running code that is publicly available. Please understand this is not about trusting our committers. It's about giving access only to those who need it, in order to protect us from any hijacked accounts, and to protect the Eclipse community's investment in our source repositories, bugzilla, mail and other data.

For those with vservers, using an iptables firewall to restrict ssh access to trusted IPs is a very good start. The actual vulnerability, as well as the exploit code, can be found here:

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953

Again, I thank you for your understanding.


Denis, Matt and Karl.



Back to the top