Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] cross-project-issues-dev Digest, Vol 84, Issue 5

<stuff deleted>
Hi Denis,

what about a restricted shell then that is limited to certain commands
like git pushing tags and uploading/downloading binary artifacts for
signing? In combination with a per-project build/ci-account it would
help improve security further.

Markus


Everyone has such a restricted shell by default, but configuring it to be permissive enough for everyone's use case is very time consuming. In fact, you had that shell not long ago (cvssh) and requested a full shell :)

Hi Denis,

Perhaps having two account types?...i.e. one for 'normal' committers (restricted, but relatively permissive...as it is now...to allow for everyone's use case)...and one that is very restricted (e.g. 'ecfreleng') that would only allow the necessary remote access for the builder?

Based upon the response on this list (few, so far), it seems that we may be one of only a few projects that does their build off-site...but is not a corp with firewall, etc around our builder, etc...so our needs may be unique here. This suggests to me that it won't be necessary to have such highly restricted accounts for many projects...i.e. it may be only us.

Scott





Back to the top