On Wed, Aug 09, 2000 at 11:18:56AM -0600, Tobias Weingartner wrote:
> > Not to mention trusting the users. I don't trust them. I don't actually
> > see ssh as significantly increasing my security because even with maximal
> > security between the user and the server, I still don't trust the user.
>
> Then you are screwed. CVS was never meant to be used in this fashion.
Actually it's worked out quite well. As Greg pointed out there are two
kinds of trust:
Human "I trust you" trust: I trust my users in this sense, by
handing out write access to my repository without much hassle
and generally believing in people's good intentions and capabilities.
Security "trust": I don't trust my human judgement of trustworthiness
from a security standpoint. I assume that some day I'm going to hand
out a password to someone who is malicious and build my systems so
that it's not the end of the world if it happens.
My requirement is that if someone proves to be untrustworthy I want
to be able to disable their access to the box and undo whatever it
is that they've done. I also want to limit the damage they might
do to just the CVS repository itself so I don't have as big a clean-up
to do when I make a mistake.
> If you have a competitive environment, where
> users will try to torpedo other projects, then all bets are off.
Sure. If I see that happening someone gets axed. But, someone might try
it and I might have to axe them. Having a chroot'ed repository limits the
number of nasty things they can do before they get the axe.
It's worth noting that I've never had to do this. But I am prepared to
do it if I ever have to.
What Greg is missing here is that security is just as much about recovering
from an attack after it happens, as it is about preventing it in the
first place.
My scheme is weak on prevention because it uses pserver, but it is very
strong on recovery. Even an ssh scheme should have a strong recovery
capability to be secure, and I think that means using chroot (or better
yet, jail(2) on FreeBSD).
> It's the difference between the Unix and VMS philosophy of computing. Do you
> have an open system, with policing happening through capping the knees of bad
> users by the enraged community at large, or do you have a dictatorship, where
> legitimate use by good people is curtailed to the point of suffocation.
I'm more like an optomistic transaction: I trust everyone to do the right
thing, and most of the time they do. But if you screw up I'll terminate
your account and then undo everything you've done :-)
Justin
