[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [cross-project-issues-dev] cross-project-issues-dev Digest, Vol 84, Issue 5
|
On 01/07/2013 12:07 PM, Markus Alexander Kuppe wrote:
On 01/07/2013 05:11 PM, Denis Roy wrote:
I'm not sure I follow your train of thought re: exposing the ssh port to
the world, since build/dev/git.eclipse.org's SSH port already is. My
fear is that, if committer passwords and/or private keys are stored on
anonymously-accessible web applications (such as hudson.eclipse.org)
that information could potentially be obtained by individuals with ill
intent. If the committer account in question has a full shell, that
could mean real trouble for us from a security perspective.
Hi Denis,
what about a restricted shell then that is limited to certain commands
like git pushing tags and uploading/downloading binary artifacts for
signing? In combination with a per-project build/ci-account it would
help improve security further.
Markus
Everyone has such a restricted shell by default, but configuring it to
be permissive enough for everyone's use case is very time consuming. In
fact, you had that shell not long ago (cvssh) and requested a full shell :)
Denis
