On Fri, 2005-07-29 at 17:19, "Martin v. Löwis" wrote: > I believe this alone either won't work or won't be good enough (not > sure which one): If you have /bin/false as login shell, and still > manage to invoke /usr/bin/svnserve remotely, you can likely also > invoke /usr/bin/cat /etc/passwd remotely (or download and build > the root exploit via ssh). > > So you would have restrict the set of valid programs to *only* > svnserve. This is possible, but difficult to manage (AFAIK). I think that's basically right. > - on Linux, my issue is that .subversion is on NFS, so any root > user in our net can connect to the file. Therefore, I copy > the .p12 file to /tmp/private_dir, and remove the passphrase > there. No other machine can read the file (as /tmp is not > exported), and the file goes away after machine shutdown > latest (as tmp is cleaned on reboot). I don't think that's true on all Linuxes though (or even all *nixes). -Barry -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: This is a digitally signed message part Url : http://mail.python.org/pipermail/python-dev/attachments/20050729/e917d527/attachment.pgp
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4