33118 – adding cvs support to rssh

Bug 33118 - adding cvs support to rssh

Summary: adding cvs support to rssh

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High enhancement (vote)
Assignee:	Max Kalika (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-11-09 22:41 UTC by Bob Thomas
Modified:	2004-06-22 15:55 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
the patch (rssh_cvs_enable.patch,11.87 KB, patch) 2003-11-09 22:46 UTC, Bob Thomas	Details \| Diff
the ebuild diff (rssh_cvs_enable_ebuild.diff,496 bytes, patch) 2003-11-09 22:47 UTC, Bob Thomas	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bob Thomas 2003-11-09 22:41:51 UTC

I made a patch for rssh that adds support for cvs. Please test.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Bob Thomas 2003-11-09 22:46:31 UTC

Created attachment 20500 [details, diff]
the patch

a patch that adds cvs support to rssh

Comment 2 Bob Thomas 2003-11-09 22:47:30 UTC

Created attachment 20501 [details, diff]
the ebuild diff

adds a few short lines to the ebuild to enable the patch.

Comment 3 Max Kalika (RETIRED) gentoo-dev

2003-11-12 09:13:09 UTC

I'm not sure if this is the best approach.  The author of rssh states in the FAQ, "The purpose of rssh is to allow system administrators to allow users access to a server via either scp or sftp, or both. This design is simple and clean, and very easy to keep secure."  If we add cvs, I can just see someone wanting to add rsync, cpio, tar, rmt, etc.

If you do need a set of other commands, perhaps using rbash and pam_chroot (link below) is the way to go.  Mike, do you have thoughts on this?

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.2

Comment 4 Bob Thomas 2003-11-12 10:00:28 UTC

You're right, this isn't the best possible approach. I think the best approach would be for cvs to support something like this. However, the other solutions I've found were way too messy for my taste:

http://www.prima.eu.org/tobez/cvs-howto.html
http://www.idealx.org/prj/idx-chrooted-ssh-cvs/dist/chrooted-ssh-cvs-server.html

I don't want rbash, the whole point is to not allow someone to get shell access, even if it is somewhat restricted in what they can do. There are many things that could go wrong. If someone could scp a file into that directory, and then get shell to run it, they could do whatever they wanted. (maybe that would work, maybe it wouldn't, but I still think that using bash is NOT the best solution).

Maybe someone would want rsync. I don't know enough about how rsync works to know if it would work with this method or not (I didn't know much about how cvs worked on the server end until I worked on this). If someone else wants it, someone else can add it. The author didn't want cvs support, but I did so I added it. Isn't open source great?

Comment 5 Max Kalika (RETIRED) gentoo-dev

2003-11-16 20:01:59 UTC

The point of rbash is that only commands that you specifically allow, can run.  This is what you're looking for, and it doesn't require modification to any code.  I really don't think that this project is the proper way to implement restricted cvs.

Comment 6 SpanKY gentoo-dev

2004-06-22 15:55:31 UTC

cvs support is now in officially with 2.2.1 ;)

just a future note ... it's better to take such non-standard enhancements upstream and if they accept it, to come back to us (depending of course on their release cycle) ...

Gentoo (as a general rule of thumb) tries to keep such enhancements upstream that way everyone benefits and not just users of Gentoo ;)