On Thu, Sep 6, 2012 at 12:46 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
[2012-09-06 17:39:03 +0200] Florian Pritz:
The idea is to reduce the possible damage an attacker can cause if he happens to obtain a dev's/TU's ssh key. Without a shell and only a few whitelisted commands the box should be very safe. That allows us to use a server stored signing key for the database without having to worry about someone using a kernel exploit and gaining access to the key.
Did we abandon the idea of having packagers download the old DB, check its signature, do changes to it, sign the new DB, and upload it back? Because I would certainly find this much safer and trustworthy than having a black-box server blindly signs anything it is given.
Agree.
And I would also find it too bad to lose the flexibility actual non-root Linux accounts give, such as being able to fix things ourselves when they go wrong (like when pushing to the wrong repo).
What will happen to our personal web space? And what about /srv/ftp/other/ ? Will they move to the new server? If so, we'll need to whitelist enough commands so we can use them without being a PITA. Could you give us a more detailed list of the commands that will be allowed? I'm concerned that the shell would become so crippled that it would be practically unusable. Eric
Cheers.
-- Gaetan