This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: regarding CVS repostory on Savannah
- From: "Zack Weinberg" <zack at codesourcery dot com>
- To: Rudy Gevaert <rudy at gnu dot org>
- Cc: Gerald Pfeifer <gerald at pfeifer dot com>, gcc at gnu dot org, gcc-patches at gcc dot gnu dot org, savannah-compromise at gnu dot org
- Date: Sat, 27 Dec 2003 10:46:10 -0800
- Subject: Re: regarding CVS repostory on Savannah
- References: <20031224153109.GC26847@fencepost><20031224160530.GA9376@redhat.com> <20031224153109.GC26847@fencepost><20031224163735.GA23927@nevyn.them.org><20031225085402.GA4167@fencepost> <20031226072005.GC7783@fencepost><Pine.BSF.4.58.0312271214570.94229@acrux.dbai.tuwien.ac.at><20031227112238.GA15962@fencepost>
Rudy Gevaert <rudy@gnu.org> writes:
> I'll discuss it with the FSF admins to set up rsync in the chroot of
> your project.
I don't know how it was being done in the past, but it seems to me
that the following should work and expose neither system to more
vulnerabilities than it is at present:
On your end, create a user with no password and no authorized_keys for
inbound SSH, but do give it a valid shell and an SSH private key with
no passphrase. This user owns the CVS mirror hierarchy but doesn't
have write access to anything else. On our end, we create a
restricted-access account that is only allowed to run rsync-over-ssh,
and which can only read files. It gets the public key for the user on
your end in its authorized_keys file.
Then your user has a cron job which periodically invokes rsync to pull
down the files from our server.
zw