fetching from-cvs

[Doug MacEachern <do...@opengroup.org>]

Maybe I'm lazy, if you are too, the script below fetches the latest
snapshot from-cvs, cleans out $dir and unpacks the snapshot in $dir.

-Doug


#!/opt/perl5/bin/perl -w

use strict;
use File::Path;
#need libwww-perl installed with these gems
use URI::URL ();
use HTML::LinkExtor ();
use LWP::Simple;

my $dir = shift || "/tmp/apache_1.3-dev";
my $cvs = "http://dev.apache.org/from-cvs/";

rmtree $dir;
mkpath $dir, 0755;

chdir $dir;

my $p = HTML::LinkExtor->new(\&cb, $cvs);
my $cnt;

sub cb {
    my($tag, %links) = @_;
    return unless exists $links{href} and $links{href} =~ /apache_/;
    return unless ++$cnt == 4;

    my $file = URI::URL->new($links{href})->rel;
    warn "mirror $links{href} => $file\n";

    mirror $links{href} => $file;
    system "gunzip < $file | tar -xvf -";
    unlink $file;
}

$p->parse(get $cvs);

Re: fetching from-cvs

[Dean Gaudet <dg...@arctic.org>]

On Wed, 16 Jul 1997, Alexei Kosut wrote:

> Does ssh allow you to control what commands the user can execute? I'd be
> worried about giving an anonymous user access to a tool designed to open
> a shell.

Yup you can restrict the commands quite easily.  The canonical example is
allowing ssh to root from your tape machine and issuing only the dump
command. 

> Or we could just make sure pserver is safe. :)

There's also cvsup, but until/unless there's binaries for more than just
freebsd it's probably not a good option.  To build it requires you also to
build DEC's modula-3 package.  Lot's o' work.

Brian how do you feel about setting up the cvsread thing that Rasmus
posted? 

Dean

Re: fetching from-cvs

[Dean Gaudet <dg...@arctic.org>]

On Sat, 19 Jul 1997, Marc Slemko wrote:

> On Sat, 19 Jul 1997, Dean Gaudet wrote:
> 
> > Pessimist.
> 
> I'm optimistic that being pessimistic has saved my ass enough times.  I
> don't think I can stand up and point out "ok, you can break into that like
> this" today, but I'm nothing special and my mind is still at 7000 feet in
> the mountains... 

Oh I know the feeling... actually both feelings.  I'm just so happy that
I'm no longer doing admin work that I decided to start playing the dumb
user that doesn't know anything about security :) 

The rockies?  I miss the rockies. 

Dean

Re: fetching from-cvs

[Marc Slemko <ma...@worldgate.com>]

On Sat, 19 Jul 1997, Dean Gaudet wrote:

> Pessimist.

I'm optimistic that being pessimistic has saved my ass enough times.  I
don't think I can stand up and point out "ok, you can break into that like
this" today, but I'm nothing special and my mind is still at 7000 feet in
the mountains... 

> 
> BTW are you talking about pserver or ssh?

Yes, ie. both.  I may be willing to trust anon ssh access to one account
which is restricted to one command; if that one command was /bin/false. 
Hey, I may even go for /bin/true.  The one command that is run is the
problem, and you end up with much the same thing with pserver or ssh.

> 
> Dean
> 
> On Sat, 19 Jul 1997, Marc Slemko wrote:
> 
> > No.  No.  No.
> > 
> > Don't trust it, don't trust it, don't trust it.
> > 
> > If you want anonymous access to the repository, put it on a different
> > machine or a seperate copy of the repository on taz in a chrooted
> > environment with _nothing_ being run as root and no setuid binaries inside
> > the chrooted environment.
> > 
> > On Wed, 16 Jul 1997, Alexei Kosut wrote:
> > 
> > > On Wed, 16 Jul 1997, Dean Gaudet wrote:
> > > 
> > > > What are the security implications of making a user id anoncvs, not in
> > > > group httpd or cvs, and who can only log in via ssh, without a password
> > > > and execute the command "cvs server" ?
> > > 
> > > Does ssh allow you to control what commands the user can execute? I'd be
> > > worried about giving an anonymous user access to a tool designed to open
> > > a shell.
> > > 
> > > The way this is usually done is using pserver. It's designed only for
> > > accessing CVS, and also comes built in to CVS (you don't need to install
> > > ssh).
> > > 
> > > > Rasmus how is it that you do anoncvs again?  We could really use it on taz
> > > > I think. 
> > > 
> > > I think it is. OTOH, there are security risks with pserver, and if we set
> > > up an anonymous CVS account, there can be little tracking done of who
> > > does what (except for logs of remote hostnames, I guess).
> > > 
> > > One option might be to set up an insecure machine (i.e. one that doesn't
> > > have anything critical to the Apache Project or to anyone else's stuff),
> > > have it mirror the repository, and set up anon-cvs on that machine.
> > > 
> > > Or we could just make sure pserver is safe. :)
> > > 
> > > -- Alexei Kosut <ak...@organic.com>
> > > 
> > 
> > 
> 

Re: fetching from-cvs

[Dean Gaudet <dg...@arctic.org>]

Pessimist.

BTW are you talking about pserver or ssh?

Dean

On Sat, 19 Jul 1997, Marc Slemko wrote:

> No.  No.  No.
> 
> Don't trust it, don't trust it, don't trust it.
> 
> If you want anonymous access to the repository, put it on a different
> machine or a seperate copy of the repository on taz in a chrooted
> environment with _nothing_ being run as root and no setuid binaries inside
> the chrooted environment.
> 
> On Wed, 16 Jul 1997, Alexei Kosut wrote:
> 
> > On Wed, 16 Jul 1997, Dean Gaudet wrote:
> > 
> > > What are the security implications of making a user id anoncvs, not in
> > > group httpd or cvs, and who can only log in via ssh, without a password
> > > and execute the command "cvs server" ?
> > 
> > Does ssh allow you to control what commands the user can execute? I'd be
> > worried about giving an anonymous user access to a tool designed to open
> > a shell.
> > 
> > The way this is usually done is using pserver. It's designed only for
> > accessing CVS, and also comes built in to CVS (you don't need to install
> > ssh).
> > 
> > > Rasmus how is it that you do anoncvs again?  We could really use it on taz
> > > I think. 
> > 
> > I think it is. OTOH, there are security risks with pserver, and if we set
> > up an anonymous CVS account, there can be little tracking done of who
> > does what (except for logs of remote hostnames, I guess).
> > 
> > One option might be to set up an insecure machine (i.e. one that doesn't
> > have anything critical to the Apache Project or to anyone else's stuff),
> > have it mirror the repository, and set up anon-cvs on that machine.
> > 
> > Or we could just make sure pserver is safe. :)
> > 
> > -- Alexei Kosut <ak...@organic.com>
> > 
> 
> 

Re: fetching from-cvs

[Marc Slemko <ma...@worldgate.com>]

No.  No.  No.

Don't trust it, don't trust it, don't trust it.

If you want anonymous access to the repository, put it on a different
machine or a seperate copy of the repository on taz in a chrooted
environment with _nothing_ being run as root and no setuid binaries inside
the chrooted environment.

On Wed, 16 Jul 1997, Alexei Kosut wrote:

> On Wed, 16 Jul 1997, Dean Gaudet wrote:
> 
> > What are the security implications of making a user id anoncvs, not in
> > group httpd or cvs, and who can only log in via ssh, without a password
> > and execute the command "cvs server" ?
> 
> Does ssh allow you to control what commands the user can execute? I'd be
> worried about giving an anonymous user access to a tool designed to open
> a shell.
> 
> The way this is usually done is using pserver. It's designed only for
> accessing CVS, and also comes built in to CVS (you don't need to install
> ssh).
> 
> > Rasmus how is it that you do anoncvs again?  We could really use it on taz
> > I think. 
> 
> I think it is. OTOH, there are security risks with pserver, and if we set
> up an anonymous CVS account, there can be little tracking done of who
> does what (except for logs of remote hostnames, I guess).
> 
> One option might be to set up an insecure machine (i.e. one that doesn't
> have anything critical to the Apache Project or to anyone else's stuff),
> have it mirror the repository, and set up anon-cvs on that machine.
> 
> Or we could just make sure pserver is safe. :)
> 
> -- Alexei Kosut <ak...@organic.com>
> 

Re: fetching from-cvs

[Alexei Kosut <ak...@organic.com>]

On Wed, 16 Jul 1997, Dean Gaudet wrote:

> What are the security implications of making a user id anoncvs, not in
> group httpd or cvs, and who can only log in via ssh, without a password
> and execute the command "cvs server" ?

Does ssh allow you to control what commands the user can execute? I'd be
worried about giving an anonymous user access to a tool designed to open
a shell.

The way this is usually done is using pserver. It's designed only for
accessing CVS, and also comes built in to CVS (you don't need to install
ssh).

> Rasmus how is it that you do anoncvs again?  We could really use it on taz
> I think. 

I think it is. OTOH, there are security risks with pserver, and if we set
up an anonymous CVS account, there can be little tracking done of who
does what (except for logs of remote hostnames, I guess).

One option might be to set up an insecure machine (i.e. one that doesn't
have anything critical to the Apache Project or to anyone else's stuff),
have it mirror the repository, and set up anon-cvs on that machine.

Or we could just make sure pserver is safe. :)

-- Alexei Kosut <ak...@organic.com>

Re: fetching from-cvs

[ra...@bellglobal.com]

> What are the security implications of making a user id anoncvs, not in
> group httpd or cvs, and who can only log in via ssh, without a password
> and execute the command "cvs server" ?
> 
> Rasmus how is it that you do anoncvs again?  We could really use it on taz
> I think. 

I simply have a cvsread user in the cvs passwd file that isn't listed in the
'writers' file.  People do a regular pserver login: 

   cvs -d :pserver:cvsread@vex.net:/u/local/src/repository login

Nothing fancy.

-Rasmus

Re: fetching from-cvs

[Dean Gaudet <dg...@arctic.org>]

What are the security implications of making a user id anoncvs, not in
group httpd or cvs, and who can only log in via ssh, without a password
and execute the command "cvs server" ?

Rasmus how is it that you do anoncvs again?  We could really use it on taz
I think. 

Dean

On Wed, 16 Jul 1997, Doug MacEachern wrote:

> Maybe I'm lazy, if you are too, the script below fetches the latest
> snapshot from-cvs, cleans out $dir and unpacks the snapshot in $dir.
> 
> -Doug
> 
> 
> #!/opt/perl5/bin/perl -w
> 
> use strict;
> use File::Path;
> #need libwww-perl installed with these gems
> use URI::URL ();
> use HTML::LinkExtor ();
> use LWP::Simple;
> 
> my $dir = shift || "/tmp/apache_1.3-dev";
> my $cvs = "http://dev.apache.org/from-cvs/";
> 
> rmtree $dir;
> mkpath $dir, 0755;
> 
> chdir $dir;
> 
> my $p = HTML::LinkExtor->new(\&cb, $cvs);
> my $cnt;
> 
> sub cb {
>     my($tag, %links) = @_;
>     return unless exists $links{href} and $links{href} =~ /apache_/;
>     return unless ++$cnt == 4;
> 
>     my $file = URI::URL->new($links{href})->rel;
>     warn "mirror $links{href} => $file\n";
> 
>     mirror $links{href} => $file;
>     system "gunzip < $file | tar -xvf -";
>     unlink $file;
> }
> 
> $p->parse(get $cvs);
>