GCC maintainer account

GCC maintainer account

[Mark Mitchell]

Would one of you be willing to set up an account that allows any GCC
maintainer to log into gcc.gnu.org?

This account would be used to run cronjobs, etc., that all the GCC
maintainers might need to modify.  At present, this stuff runs out of
individual people's home directories, and there is no way for another
maintainer to modify it.  And some of us do not even have login
accounts on gcc.gnu.org.

This idea could be realized by simply putting all of the GCC
maintainers public keys together into .ssh/authorized_keys for this
account.

Thanks in advance,

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Christopher Faylor]

Do you want us to set up a "gccmaint" account?  Is that an
adequate name?

There's no problem doing this.  The biggest task will be collecting
all of the .ssh keys of all of the maintainers into one authorized_keys
file.  Should we just use everyone in the 'gcc' group on gcc.gnu.org?

cgf

On Thu, Feb 15, 2001 at 06:24:55PM -0800, Mark Mitchell wrote:
>
>Would one of you be willing to set up an account that allows any GCC
>maintainer to log into gcc.gnu.org?
>
>This account would be used to run cronjobs, etc., that all the GCC
>maintainers might need to modify.  At present, this stuff runs out of
>individual people's home directories, and there is no way for another
>maintainer to modify it.  And some of us do not even have login
>accounts on gcc.gnu.org.
>
>This idea could be realized by simply putting all of the GCC
>maintainers public keys together into .ssh/authorized_keys for this
>account.
>
>Thanks in advance,

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Christopher" == Christopher Faylor <cgf@redhat.com> writes:

    Christopher> Do you want us to set up a "gccmaint" account?  Is
    Christopher> that an adequate name?

Yes, that would be perfect.  Alternatively, `gccadmin'.  Any such name
will do!

    Christopher> There's no problem doing this.  The biggest task will
    Christopher> be collecting all of the .ssh keys of all of the
    Christopher> maintainers into one authorized_keys file.  Should we
    Christopher> just use everyone in the 'gcc' group on gcc.gnu.org?

It should be anyone who has check-in rights for the GCC CVS
repository.  Is that the same thing?

Thanks!

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Chris Faylor]

On Thu, Feb 15, 2001 at 06:47:52PM -0800, Mark Mitchell wrote:
>>>>>> "Christopher" == Christopher Faylor <cgf@redhat.com> writes:
>
>    Christopher> Do you want us to set up a "gccmaint" account?  Is
>    Christopher> that an adequate name?
>
>Yes, that would be perfect.  Alternatively, `gccadmin'.  Any such name
>will do!

Ok.  I've set up gccadmin.

>    Christopher> There's no problem doing this.  The biggest task will
>    Christopher> be collecting all of the .ssh keys of all of the
>    Christopher> maintainers into one authorized_keys file.  Should we
>    Christopher> just use everyone in the 'gcc' group on gcc.gnu.org?
>
>It should be anyone who has check-in rights for the GCC CVS
>repository.  Is that the same thing?

Yes.  Hmm.  You know we do try to limit login access to this machine and
this opens it open to about 70 people who didn't have general login
access before. 

I've set this account up but this could possibly be retroactively vetoed
by the other overseers if they see this as a security risk.

cgf

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:

    Chris> I've set this account up but this could possibly be
    Chris> retroactively vetoed by the other overseers if they see
    Chris> this as a security risk.

Understood.  If necessary, we can go to a compromise situation where
only, say, steering committee members have accesss.  In fact, if you
prefer that, you could go ahead and make that change now.

Thanks very much for the quick response.

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:

    Chris> I've set this account up but this could possibly be
    Chris> retroactively vetoed by the other overseers if they see
    Chris> this as a security risk.

Actually, it doesn't work for me.  (Am I an idiot?)

  bash$ slogin gcc.gnu.org -l gccadmin
  Permission denied.
  bash$ slogin gcc.gnu.org -l mmitchel
  E cvs [server aborted]: received interrupt signal

Is there anything in the log files?

Thanks,

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Alexandre Petit-Bianco]

Mark Mitchell writes:

> Actually, it doesn't work for me.  (Am I an idiot?)
> 
>   bash$ slogin gcc.gnu.org -l gccadmin
>   Permission denied.
>   bash$ slogin gcc.gnu.org -l mmitchel
>   E cvs [server aborted]: received interrupt signal

If it can help debugging, I can:

  apbianco@kazmo[~]: slogin apbianco@gcc.gnu.org -v
  SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5.
  Standard version.  Does not use RSAREF.
  kazmo: Reading configuration data /etc/ssh/ssh_config
  kazmo: ssh_connect: getuid 500 geteuid 0 anon 0
  kazmo: Connecting to gcc.gnu.org [205.180.83.71] port 22.
  kazmo: Allocated local port 1019.
  kazmo: Connection established.
  kazmo: Remote protocol version 1.5, remote software version 1.2.26C2
  kazmo: Waiting for server public key.
  kazmo: Received server public key (768 bits) and host key (1024 bits).
  kazmo: Host 'gcc.gnu.org' is known and matches the host key.
  kazmo: Initializing random; seed file /home/apbianco/.ssh/random_seed
  kazmo: IDEA not supported, using 3des instead.
  kazmo: Encryption type: 3des
  kazmo: Sent encrypted session key.
  kazmo: Installing crc compensation attack detector.
  kazmo: Received encrypted confirmation.
  kazmo: Connection to authentication agent opened.
  kazmo: Trying RSA authentication via agent with 'apbianco@kazmo'
  kazmo: Received RSA challenge from server.
  kazmo: Sending response to RSA challenge.
  kazmo: Remote: RSA authentication accepted.
  kazmo: RSA authentication accepted by server.
  kazmo: Requesting pty.
  kazmo: Requesting X11 forwarding with authentication spoofing.
  kazmo: Remote: X11 forwarding disabled in this site.

Note that I already had an account. 

./A

Re: GCC maintainer account

[Chris Faylor]

On Thu, Feb 15, 2001 at 07:30:18PM -0800, Mark Mitchell wrote:
>>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:
>
>    Chris> I've set this account up but this could possibly be
>    Chris> retroactively vetoed by the other overseers if they see
>    Chris> this as a security risk.
>
>Actually, it doesn't work for me.  (Am I an idiot?)

No, I'm the idiot.  I somehow dropped you (of all people) from the
authorized_keys file.

I'm checking to see who else I missed.  You're definitely in the
list of people who should have been in the authorized_keys file so
I'm hoping that I just manually misedited something.

cgf

Re: GCC maintainer account

[Chris Faylor]

On Thu, Feb 15, 2001 at 10:41:59PM -0500, Chris Faylor wrote:
>On Thu, Feb 15, 2001 at 07:30:18PM -0800, Mark Mitchell wrote:
>>>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:
>>
>>    Chris> I've set this account up but this could possibly be
>>    Chris> retroactively vetoed by the other overseers if they see
>>    Chris> this as a security risk.
>>
>>Actually, it doesn't work for me.  (Am I an idiot?)
>
>No, I'm the idiot.  I somehow dropped you (of all people) from the
>authorized_keys file.
>
>I'm checking to see who else I missed.  You're definitely in the
>list of people who should have been in the authorized_keys file so
>I'm hoping that I just manually misedited something.

Ok, I missed anyone whose home directory was != /home/username.  Sorry
about that.  This should be correct now.

There were also a couple of people who didn't have .ssh/authorized_keys
files.  RMS was one of them, FWIW.

Anyway, could you try it again, Mark?

cgf

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:

    Chris> Anyway, could you try it again, Mark?

Cool -- it works now!

Thanks again for setting this up so quickly.

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Jason Molenda]

On Thu, Feb 15, 2001 at 10:10:19PM -0500, Chris Faylor wrote:

> I've set this account up but this could possibly be retroactively vetoed
> by the other overseers if they see this as a security risk.

As an interested bystander I'm just throwing in my two cents, but
I think that giving ~70 people login access is not such a good
idea.  It isn't a matter of trusting those 70 people personally--it's
that any one of those people having their system compromised, then
their ssh passphrase/private key snarfed, results in sourceware
being open to compromise.

I imagine this account is for things like nightly snapshots, on-line
.html generation, monthly search engine form updating (Hi H-P :-) and
the like.  I'd say that the SC should all be in the auth_keys file,
and anyone they feel has a reason to be included as well.  For
instance, if someone like Joseph Myers takes an interest in improving
the snapshot job, someone on the SC could add his public key to
the auth_keys file.

Maybe it's more work than it's worth, but I imagine that few of those
70 gcc developers will ever have call to use the account, and opening
up access more than it needs to be doesn't seem like such a good idea.

(IMHO.  On the other hand, I'm not going to be doing any of the work
in maintaining what I describe, so my feelings aren't going to be hurt
if people ignore this input.  :-)

Jason

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Jason" == Jason Molenda <jason@molenda.com> writes:

    Jason> On Thu, Feb 15, 2001 at 10:10:19PM -0500, Chris Faylor
    Jason> wrote:

    >> I've set this account up but this could possibly be
    >> retroactively vetoed by the other overseers if they see this as
    >> a security risk.

    Jason> As an interested bystander I'm just throwing in my two
    Jason> cents, but I think that giving ~70 people login access is

Sure.  That's why I suggested (after the fact) that we could use just
the SC membership.  I think that's fine.

FWIW, I've announced the existence of this account to the SC -- but
not to the general GCC mainatinership.  If someone just removes the
non-SC people from authorized_keys, we'll be all set.

Thanks,

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Christopher Faylor]

On Thu, Feb 15, 2001 at 09:23:21PM -0800, Mark Mitchell wrote:
>>>>>> "Jason" == Jason Molenda <jason@molenda.com> writes:
>
>    Jason> On Thu, Feb 15, 2001 at 10:10:19PM -0500, Chris Faylor
>    Jason> wrote:
>
>    >> I've set this account up but this could possibly be
>    >> retroactively vetoed by the other overseers if they see this as
>    >> a security risk.
>
>    Jason> As an interested bystander I'm just throwing in my two
>    Jason> cents, but I think that giving ~70 people login access is
>
>Sure.  That's why I suggested (after the fact) that we could use just
>the SC membership.  I think that's fine.
>
>FWIW, I've announced the existence of this account to the SC -- but
>not to the general GCC mainatinership.  If someone just removes the
>non-SC people from authorized_keys, we'll be all set.

Ok.  I have just added, to authorized_keys, *just* the SC members from
the list at gcc.gnu.org, along with myself, Tom Tromey, and Joseph S.
Myers.

Some of the steering committe members didn't seem to have accounts on
gcc.gnu.org, though:

Joe Buck, Torbjorn Granlund, Joel Sherrill

Jim Wilson didn't have an ssh authorized_keys file.

If I've somehow missed someone it should be easy for anyone who can now
login to the account to add them to authorized_keys.

cgf

Re: GCC maintainer account

[Gerald Pfeifer]

On Fri, 16 Feb 2001, Christopher Faylor wrote:
> Ok.  I have just added, to authorized_keys, *just* the SC members from
> the list at gcc.gnu.org, along with myself, Tom Tromey, and Joseph S.
> Myers.

Thanks!

Security-wise, wouldn't it be better to make the account -rwxrwx--- with
some group gccadmin, add all relevant folks to that group, and have ever-
yone log in using his regular account, so that we can see easily who has
made which changes and logged in when?

> Some of the steering committe members didn't seem to have accounts on
> gcc.gnu.org, though:
>
> Joe Buck, Torbjorn Granlund, Joel Sherrill

I mailed with Joel yesterday, and I believe he'll apply for an account
soon.

Gerald
-- 
Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/

Re: GCC maintainer account

[Andrew Cagney]

Mark Mitchell wrote:
> 
> Would one of you be willing to set up an account that allows any GCC
> maintainer to log into gcc.gnu.org?
> 
> This account would be used to run cronjobs, etc., that all the GCC
> maintainers might need to modify.  At present, this stuff runs out of
> individual people's home directories, and there is no way for another
> maintainer to modify it.  And some of us do not even have login
> accounts on gcc.gnu.org.

Hey, I do that!  I've always felt guilty about it :-(
Should these cron jobs be run on the CVS machine or on something else. 
Or to be really paranoid should anyone be able to log into the CVS
machine?

	Andrew

Re: GCC maintainer account

[Jeffrey A Law]

  In message < 20010215192723I.mitchell@codesourcery.com >you write:
  > >>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:
  > 
  >     Chris> I've set this account up but this could possibly be
  >     Chris> retroactively vetoed by the other overseers if they see
  >     Chris> this as a security risk.
  > 
  > Understood.  If necessary, we can go to a compromise situation where
  > only, say, steering committee members have accesss.  In fact, if you
  > prefer that, you could go ahead and make that change now.
I think the best thing to do will be to add keys for GCC folks to that
account on an as-needed basis.

It's certainly a step forward from having so much stuff rely on personal
accounts (like mine).

Jeff

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Gerald" == Gerald Pfeifer <pfeifer@dbai.tuwien.ac.at> writes:

    Gerald> Security-wise, wouldn't it be better to make the account
    Gerald> -rwxrwx--- with some group gccadmin, add all relevant
    Gerald> folks to that group, and have ever- yone log in using his
    Gerald> regular account, so that we can see easily who has made
    Gerald> which changes and logged in when?

Not everyone has a regular account.  For example, I don't.  My account
only allows me to do CVS -- which is probably a good thing.  The SSHD
log files will still show which key came from where.

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Christopher Faylor]

On Fri, Feb 16, 2001 at 09:46:59AM +0100, Gerald Pfeifer wrote:
>On Fri, 16 Feb 2001, Christopher Faylor wrote:
>> Ok.  I have just added, to authorized_keys, *just* the SC members from
>> the list at gcc.gnu.org, along with myself, Tom Tromey, and Joseph S.
>> Myers.
>
>Thanks!
>
>Security-wise, wouldn't it be better to make the account -rwxrwx--- with
>some group gccadmin, add all relevant folks to that group, and have ever-
>yone log in using his regular account, so that we can see easily who has
>made which changes and logged in when?

I don't think that group access allows modification of crontab.  And, not
everyone has login access to sources.redhat.com, although that's easily
rectified.

cgf

Re: GCC maintainer account

[Phil Edwards]

On Fri, Feb 16, 2001 at 12:09:15PM -0500, Christopher Faylor wrote:
> On Fri, Feb 16, 2001 at 09:46:59AM +0100, Gerald Pfeifer wrote:
> >
> >Security-wise, wouldn't it be better to make the account -rwxrwx--- with
> >some group gccadmin, add all relevant folks to that group, and have ever-
> >yone log in using his regular account, so that we can see easily who has
> >made which changes and logged in when?
> 
> I don't think that group access allows modification of crontab.

It doesn't.  Or at least, it shouldn't; if it does then we have problems.

The onlinedocs for libstdc++ and the 2.95.2 manual are being created by
scripts in my home directory.  Those should probably get moved, or merged,
or something.  (Actually, they're under CVS control in a repo on my local
machine... running vi on sourceware was a mistake I only had to make
once. :-)


Phil

-- 
pedwards at disaster dot jaj dot com  |  pme at sources dot redhat dot com
devphil at several other less interesting addresses in various dot domains
The gods do not protect fools.  Fools are protected by more capable fools.

Re: GCC maintainer account

[Alexandre Oliva]

On Feb 16, 2001, Christopher Faylor <cgf@redhat.com> wrote:

> I don't think that group access allows modification of crontab.

This is easy to address: a crontab entry that reads a file, compares
it with the installed crontab, and updates it if they differ.

-- 
Alexandre Oliva   Enjoy Guarana', see http://www.ic.unicamp.br/~oliva/
Red Hat GCC Developer                  aoliva@{cygnus.com, redhat.com}
CS PhD student at IC-Unicamp        oliva@{lsd.ic.unicamp.br, gnu.org}
Free Software Evangelist    *Please* write to mailing lists, not to me

Re: GCC maintainer account

[Andrew Cagney]

Chris Faylor wrote:

> I've set this account up but this could possibly be retroactively vetoed
> by the other overseers if they see this as a security risk.

If I've the right of veto then I'd like to veto this move.  It is a
serious security risk :-(  It scares the crap out of me.

I think the obvious thing to do is to kick this stuff (especially all my
GDB cronjobs :-) off of that machine and onto a second machine that, by
its nature, is assumed to be compromised.

Given that probably won't happen, could you please look at alternatives.

Jeff suggested a common account for a select set of users.  Going down
that path, you could even set up a separate CVS repository and put the
crontab entry in that.  Installing a crontab from a script is pretty
easy. (I should note this still isn't very secure as the obvious thing
to put in a crontab is `cp ~ftp/incomming/xyz ~/.ssh/authorize_keys`.)

Another possability is some sort of chrooted environment.  Anyway, there
must be HOWTOs  somewhere that give hints on how to set this up.

enjoy,
	Andrew
;

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Andrew" == Andrew Cagney <ac131313@cygnus.com> writes:

    Andrew> Chris Faylor wrote:

    >> I've set this account up but this could possibly be
    >> retroactively vetoed by the other overseers if they see this as
    >> a security risk.

    Andrew> If I've the right of veto then I'd like to veto this move.
    Andrew> It is a serious security risk :-( It scares the crap out
    Andrew> of me.

Until now, we've had a very hard time managing cron jobs, etc.,
because people had to set up these jobs out of their own accounts
(which most of the GCC SC did not have) and there was no way to see
what jobs other people had running, etc.

Now we have an account that only the GCC SC can use.  That means an
account with about 15 authorized uers -- some of whom already have
accounts on the machine.  I think that's pretty reasonable, given that
this is a GNU Project, and these people are the maintainers for this
part of the GNU Project.

If that's not acceptable to Red Hat, I fully understand.  There is no
doubt that this account increases the risk of compromise of Red Hat
proprietary information and the integrity of the machine.  

It's fine if some of the cronjobs run somewhere else.  But, we really
do need direct access to the machine.  For example, we have to be able
to manipulate the FTP site as well, and, sometimes, perform direct
surgery on the CVS repository.

If that risk isn't acceptable to Red Hat, that's perfectly
understandable.  In that case, though, we should probably move the GCC
repository to a machine that doesn't have the same risk profile.

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Phil Edwards]

On Fri, Feb 16, 2001 at 09:37:12PM -0500, Andrew Cagney wrote:
> 
> If I've the right of veto then I'd like to veto this move.  It is a
> serious security risk :-(  It scares the crap out of me.

Speaking with my sysadmin hat on, it bothers me too, primarily (but not
only) for security reasons.  I agree it's necessary, but we should keep
very close eyes on when it gets used.


> Jeff suggested a common account for a select set of users.  Going down
> that path, you could even set up a separate CVS repository and put the
> crontab entry in that.  Installing a crontab from a script is pretty
> easy. (I should note this still isn't very secure as the obvious thing
> to put in a crontab is `cp ~ftp/incomming/xyz ~/.ssh/authorize_keys`.)

The practice of keeping the crontabs under CVS control (separate CVS
repo), and having the commitinfo/loginfo files submit the table to cron,
is a very useful one.  I highly recommend it.

Also a sorted and heavily commented crontab.  :-)


My two cents,
Phil

-- 
pedwards at disaster dot jaj dot com  |  pme at sources dot redhat dot com
devphil at several other less interesting addresses in various dot domains
The gods do not protect fools.  Fools are protected by more capable fools.

Re: GCC maintainer account

[Tom Tromey]

Mark> If that's not acceptable to Red Hat, I fully understand.  There
Mark> is no doubt that this account increases the risk of compromise
Mark> of Red Hat proprietary information and the integrity of the
Mark> machine.

Maybe I'm naive, but I'm not too concerned about this.

I think sources is fairly well separated from the rest of the internal
network.  If not, then that is a problem for Red Hat IS.

Also, there should never be any Red Hat confidential information
anywhere on this machine.


I agree that having a large number of people with login access is
dangerous.  However, there is a balance to be made between security
and utility.  I do think the gcc maintainers need this account.  We
just ask that they be responsible when using it.  My guess is that the
people on the Gcc steering committee are fairly responsible (though
maybe I can only say that since I'm not on the mailing list :-).

Tom

Re: GCC maintainer account

[Chris Faylor]

On Sat, Feb 17, 2001 at 12:15:54PM -0800, Mark Mitchell wrote:
>If that's not acceptable to Red Hat, I fully understand.  There is no
>doubt that this account increases the risk of compromise of Red Hat
>proprietary information and the integrity of the machine.  

I trust that the steering committee will understand the risks and will
take appropriate precautions.  As I mentioned, giving login access to
every gcc maintainer was overkill but I have no problem with giving
it to a select "elite" group of people.

I am, again, reverifying that we're doing good backups of gcc.gnu.org,
though.  :-)

cgf

Re: GCC maintainer account

[Jeffrey A Law]

  In message < 3A8DE3D8.97CBD65@cygnus.com >you write:
  > Chris Faylor wrote:
  > 
  > > I've set this account up but this could possibly be retroactively vetoed
  > > by the other overseers if they see this as a security risk.
  > 
  > If I've the right of veto then I'd like to veto this move.  It is a
  > serious security risk :-(  It scares the crap out of me.
It's not significantly less secure than what we're already doing.  Consider
the ability to check in cgi-scripts for our web pages.

Add to that the fact that the folks who can access this account are some
of the most trusted folks in the project.


jeff

Re: several messages

[Gerald Pfeifer]

On Fri, 16 Feb 2001, Andrew Cagney wrote:
> If I've the right of veto then I'd like to veto this move.  It is a
> serious security risk :-(  It scares the crap out of me.

I believe others already have addressed most of this, though if there are
serious concerns, I think we can reduce the number of people having access
to this account even further.

Right now, the following users should have access:

 o Mark Mitchell (GCC 3.0 release manager, SC member)
 o Bernd Schmidt (GCC 2.95 release manager)
 o Jeff Law (historical release manger, SC member, root@gcc.gnu.org)
 o Gerald Pfeifer (SC member, root@gcc.gnu.org)
 o Joseph Myers (had demanded more transparency, will hopefully help)

plus possibly further users, helping the release managers, for example.

(I really doubt that any of the other SC members will want access to
this account, and we could easily add them on demand.)

I don't feel strongly about this either way, though, I'm just trying
to add some perspective.

Gerald
-- 
Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/

Re: GCC maintainer account

[Andrew Cagney]

> If that's not acceptable to Red Hat, I fully understand.  There is no
> doubt that this account increases the risk of compromise of Red Hat
> proprietary information and the integrity of the machine.

I am not speaking for Red Hat.

I'm speaking as Head GDB Maintainer (still acting :-). The GDB CVS
repository lives on that machine.  I give the integrety and security of
the GDB CVS repository a higher priority then a few hassles with
accessing cronjobs.

As I mentioned:

> Jeff suggested a common account for a select set of users.  Going down
> that path, you could even set up a separate CVS repository and put the
> crontab entry in that.  Installing a crontab from a script is pretty
> easy. (I should note this still isn't very secure as the obvious thing
> to put in a crontab is `cp ~ftp/incomming/xyz ~/.ssh/authorize_keys`.)

To me it is the thin edge of the wedge, however it will have to do
unless someone is willing to fund a separate machine that does handle
this.

	Andrew

Re: GCC maintainer account

[Andrew Cagney]

Andrew Cagney wrote:

> To me it is the thin edge of the wedge, however it will have to do
> unless someone is willing to fund a separate machine that does handle
> this.

Hmm, Jeff writes:

> It's not significantly less secure than what
> we're already doing.  Consider
> the ability to check in cgi-scripts for our web
> pages.

So ok :-)

Jeff writes:

> Add to that the fact that the folks who can
> access this account are some
> of the most trusted folks in the project.

Yes, agreed.  That was never my concern.

	Andrew

Re: GCC maintainer account

[Alexandre Petit-Bianco]

Mark Mitchell writes:

> Actually, it doesn't work for me.  (Am I an idiot?)
> 
>   bash$ slogin gcc.gnu.org -l gccadmin
>   Permission denied.
>   bash$ slogin gcc.gnu.org -l mmitchel
>   E cvs [server aborted]: received interrupt signal

If it can help debugging, I can:

  apbianco@kazmo[~]: slogin apbianco@gcc.gnu.org -v
  SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5.
  Standard version.  Does not use RSAREF.
  kazmo: Reading configuration data /etc/ssh/ssh_config
  kazmo: ssh_connect: getuid 500 geteuid 0 anon 0
  kazmo: Connecting to gcc.gnu.org [205.180.83.71] port 22.
  kazmo: Allocated local port 1019.
  kazmo: Connection established.
  kazmo: Remote protocol version 1.5, remote software version 1.2.26C2
  kazmo: Waiting for server public key.
  kazmo: Received server public key (768 bits) and host key (1024 bits).
  kazmo: Host 'gcc.gnu.org' is known and matches the host key.
  kazmo: Initializing random; seed file /home/apbianco/.ssh/random_seed
  kazmo: IDEA not supported, using 3des instead.
  kazmo: Encryption type: 3des
  kazmo: Sent encrypted session key.
  kazmo: Installing crc compensation attack detector.
  kazmo: Received encrypted confirmation.
  kazmo: Connection to authentication agent opened.
  kazmo: Trying RSA authentication via agent with 'apbianco@kazmo'
  kazmo: Received RSA challenge from server.
  kazmo: Sending response to RSA challenge.
  kazmo: Remote: RSA authentication accepted.
  kazmo: RSA authentication accepted by server.
  kazmo: Requesting pty.
  kazmo: Requesting X11 forwarding with authentication spoofing.
  kazmo: Remote: X11 forwarding disabled in this site.

Note that I already had an account. 

./A

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:

    Chris> Anyway, could you try it again, Mark?

Cool -- it works now!

Thanks again for setting this up so quickly.

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Andrew Cagney]

Mark Mitchell wrote:
> 
> Would one of you be willing to set up an account that allows any GCC
> maintainer to log into gcc.gnu.org?
> 
> This account would be used to run cronjobs, etc., that all the GCC
> maintainers might need to modify.  At present, this stuff runs out of
> individual people's home directories, and there is no way for another
> maintainer to modify it.  And some of us do not even have login
> accounts on gcc.gnu.org.

Hey, I do that!  I've always felt guilty about it :-(
Should these cron jobs be run on the CVS machine or on something else. 
Or to be really paranoid should anyone be able to log into the CVS
machine?

	Andrew

Re: GCC maintainer account

[Christopher Faylor]

Do you want us to set up a "gccmaint" account?  Is that an
adequate name?

There's no problem doing this.  The biggest task will be collecting
all of the .ssh keys of all of the maintainers into one authorized_keys
file.  Should we just use everyone in the 'gcc' group on gcc.gnu.org?

cgf

On Thu, Feb 15, 2001 at 06:24:55PM -0800, Mark Mitchell wrote:
>
>Would one of you be willing to set up an account that allows any GCC
>maintainer to log into gcc.gnu.org?
>
>This account would be used to run cronjobs, etc., that all the GCC
>maintainers might need to modify.  At present, this stuff runs out of
>individual people's home directories, and there is no way for another
>maintainer to modify it.  And some of us do not even have login
>accounts on gcc.gnu.org.
>
>This idea could be realized by simply putting all of the GCC
>maintainers public keys together into .ssh/authorized_keys for this
>account.
>
>Thanks in advance,

Re: GCC maintainer account

[Chris Faylor]

On Thu, Feb 15, 2001 at 10:41:59PM -0500, Chris Faylor wrote:
>On Thu, Feb 15, 2001 at 07:30:18PM -0800, Mark Mitchell wrote:
>>>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:
>>
>>    Chris> I've set this account up but this could possibly be
>>    Chris> retroactively vetoed by the other overseers if they see
>>    Chris> this as a security risk.
>>
>>Actually, it doesn't work for me.  (Am I an idiot?)
>
>No, I'm the idiot.  I somehow dropped you (of all people) from the
>authorized_keys file.
>
>I'm checking to see who else I missed.  You're definitely in the
>list of people who should have been in the authorized_keys file so
>I'm hoping that I just manually misedited something.

Ok, I missed anyone whose home directory was != /home/username.  Sorry
about that.  This should be correct now.

There were also a couple of people who didn't have .ssh/authorized_keys
files.  RMS was one of them, FWIW.

Anyway, could you try it again, Mark?

cgf

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Christopher" == Christopher Faylor <cgf@redhat.com> writes:

    Christopher> Do you want us to set up a "gccmaint" account?  Is
    Christopher> that an adequate name?

Yes, that would be perfect.  Alternatively, `gccadmin'.  Any such name
will do!

    Christopher> There's no problem doing this.  The biggest task will
    Christopher> be collecting all of the .ssh keys of all of the
    Christopher> maintainers into one authorized_keys file.  Should we
    Christopher> just use everyone in the 'gcc' group on gcc.gnu.org?

It should be anyone who has check-in rights for the GCC CVS
repository.  Is that the same thing?

Thanks!

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Gerald" == Gerald Pfeifer <pfeifer@dbai.tuwien.ac.at> writes:

    Gerald> Security-wise, wouldn't it be better to make the account
    Gerald> -rwxrwx--- with some group gccadmin, add all relevant
    Gerald> folks to that group, and have ever- yone log in using his
    Gerald> regular account, so that we can see easily who has made
    Gerald> which changes and logged in when?

Not everyone has a regular account.  For example, I don't.  My account
only allows me to do CVS -- which is probably a good thing.  The SSHD
log files will still show which key came from where.

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Jason Molenda]

On Thu, Feb 15, 2001 at 10:10:19PM -0500, Chris Faylor wrote:

> I've set this account up but this could possibly be retroactively vetoed
> by the other overseers if they see this as a security risk.

As an interested bystander I'm just throwing in my two cents, but
I think that giving ~70 people login access is not such a good
idea.  It isn't a matter of trusting those 70 people personally--it's
that any one of those people having their system compromised, then
their ssh passphrase/private key snarfed, results in sourceware
being open to compromise.

I imagine this account is for things like nightly snapshots, on-line
.html generation, monthly search engine form updating (Hi H-P :-) and
the like.  I'd say that the SC should all be in the auth_keys file,
and anyone they feel has a reason to be included as well.  For
instance, if someone like Joseph Myers takes an interest in improving
the snapshot job, someone on the SC could add his public key to
the auth_keys file.

Maybe it's more work than it's worth, but I imagine that few of those
70 gcc developers will ever have call to use the account, and opening
up access more than it needs to be doesn't seem like such a good idea.

(IMHO.  On the other hand, I'm not going to be doing any of the work
in maintaining what I describe, so my feelings aren't going to be hurt
if people ignore this input.  :-)

Jason

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Jason" == Jason Molenda <jason@molenda.com> writes:

    Jason> On Thu, Feb 15, 2001 at 10:10:19PM -0500, Chris Faylor
    Jason> wrote:

    >> I've set this account up but this could possibly be
    >> retroactively vetoed by the other overseers if they see this as
    >> a security risk.

    Jason> As an interested bystander I'm just throwing in my two
    Jason> cents, but I think that giving ~70 people login access is

Sure.  That's why I suggested (after the fact) that we could use just
the SC membership.  I think that's fine.

FWIW, I've announced the existence of this account to the SC -- but
not to the general GCC mainatinership.  If someone just removes the
non-SC people from authorized_keys, we'll be all set.

Thanks,

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Christopher Faylor]

On Fri, Feb 16, 2001 at 09:46:59AM +0100, Gerald Pfeifer wrote:
>On Fri, 16 Feb 2001, Christopher Faylor wrote:
>> Ok.  I have just added, to authorized_keys, *just* the SC members from
>> the list at gcc.gnu.org, along with myself, Tom Tromey, and Joseph S.
>> Myers.
>
>Thanks!
>
>Security-wise, wouldn't it be better to make the account -rwxrwx--- with
>some group gccadmin, add all relevant folks to that group, and have ever-
>yone log in using his regular account, so that we can see easily who has
>made which changes and logged in when?

I don't think that group access allows modification of crontab.  And, not
everyone has login access to sources.redhat.com, although that's easily
rectified.

cgf

Re: GCC maintainer account

[Gerald Pfeifer]

On Fri, 16 Feb 2001, Christopher Faylor wrote:
> Ok.  I have just added, to authorized_keys, *just* the SC members from
> the list at gcc.gnu.org, along with myself, Tom Tromey, and Joseph S.
> Myers.

Thanks!

Security-wise, wouldn't it be better to make the account -rwxrwx--- with
some group gccadmin, add all relevant folks to that group, and have ever-
yone log in using his regular account, so that we can see easily who has
made which changes and logged in when?

> Some of the steering committe members didn't seem to have accounts on
> gcc.gnu.org, though:
>
> Joe Buck, Torbjorn Granlund, Joel Sherrill

I mailed with Joel yesterday, and I believe he'll apply for an account
soon.

Gerald
-- 
Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/

Re: GCC maintainer account

[Chris Faylor]

On Thu, Feb 15, 2001 at 06:47:52PM -0800, Mark Mitchell wrote:
>>>>>> "Christopher" == Christopher Faylor <cgf@redhat.com> writes:
>
>    Christopher> Do you want us to set up a "gccmaint" account?  Is
>    Christopher> that an adequate name?
>
>Yes, that would be perfect.  Alternatively, `gccadmin'.  Any such name
>will do!

Ok.  I've set up gccadmin.

>    Christopher> There's no problem doing this.  The biggest task will
>    Christopher> be collecting all of the .ssh keys of all of the
>    Christopher> maintainers into one authorized_keys file.  Should we
>    Christopher> just use everyone in the 'gcc' group on gcc.gnu.org?
>
>It should be anyone who has check-in rights for the GCC CVS
>repository.  Is that the same thing?

Yes.  Hmm.  You know we do try to limit login access to this machine and
this opens it open to about 70 people who didn't have general login
access before. 

I've set this account up but this could possibly be retroactively vetoed
by the other overseers if they see this as a security risk.

cgf

Re: GCC maintainer account

[Phil Edwards]

On Fri, Feb 16, 2001 at 12:09:15PM -0500, Christopher Faylor wrote:
> On Fri, Feb 16, 2001 at 09:46:59AM +0100, Gerald Pfeifer wrote:
> >
> >Security-wise, wouldn't it be better to make the account -rwxrwx--- with
> >some group gccadmin, add all relevant folks to that group, and have ever-
> >yone log in using his regular account, so that we can see easily who has
> >made which changes and logged in when?
> 
> I don't think that group access allows modification of crontab.

It doesn't.  Or at least, it shouldn't; if it does then we have problems.

The onlinedocs for libstdc++ and the 2.95.2 manual are being created by
scripts in my home directory.  Those should probably get moved, or merged,
or something.  (Actually, they're under CVS control in a repo on my local
machine... running vi on sourceware was a mistake I only had to make
once. :-)


Phil

-- 
pedwards at disaster dot jaj dot com  |  pme at sources dot redhat dot com
devphil at several other less interesting addresses in various dot domains
The gods do not protect fools.  Fools are protected by more capable fools.

Re: GCC maintainer account

[Andrew Cagney]

> If that's not acceptable to Red Hat, I fully understand.  There is no
> doubt that this account increases the risk of compromise of Red Hat
> proprietary information and the integrity of the machine.

I am not speaking for Red Hat.

I'm speaking as Head GDB Maintainer (still acting :-). The GDB CVS
repository lives on that machine.  I give the integrety and security of
the GDB CVS repository a higher priority then a few hassles with
accessing cronjobs.

As I mentioned:

> Jeff suggested a common account for a select set of users.  Going down
> that path, you could even set up a separate CVS repository and put the
> crontab entry in that.  Installing a crontab from a script is pretty
> easy. (I should note this still isn't very secure as the obvious thing
> to put in a crontab is `cp ~ftp/incomming/xyz ~/.ssh/authorize_keys`.)

To me it is the thin edge of the wedge, however it will have to do
unless someone is willing to fund a separate machine that does handle
this.

	Andrew

Re: GCC maintainer account

[Chris Faylor]

On Thu, Feb 15, 2001 at 07:30:18PM -0800, Mark Mitchell wrote:
>>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:
>
>    Chris> I've set this account up but this could possibly be
>    Chris> retroactively vetoed by the other overseers if they see
>    Chris> this as a security risk.
>
>Actually, it doesn't work for me.  (Am I an idiot?)

No, I'm the idiot.  I somehow dropped you (of all people) from the
authorized_keys file.

I'm checking to see who else I missed.  You're definitely in the
list of people who should have been in the authorized_keys file so
I'm hoping that I just manually misedited something.

cgf

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Andrew" == Andrew Cagney <ac131313@cygnus.com> writes:

    Andrew> Chris Faylor wrote:

    >> I've set this account up but this could possibly be
    >> retroactively vetoed by the other overseers if they see this as
    >> a security risk.

    Andrew> If I've the right of veto then I'd like to veto this move.
    Andrew> It is a serious security risk :-( It scares the crap out
    Andrew> of me.

Until now, we've had a very hard time managing cron jobs, etc.,
because people had to set up these jobs out of their own accounts
(which most of the GCC SC did not have) and there was no way to see
what jobs other people had running, etc.

Now we have an account that only the GCC SC can use.  That means an
account with about 15 authorized uers -- some of whom already have
accounts on the machine.  I think that's pretty reasonable, given that
this is a GNU Project, and these people are the maintainers for this
part of the GNU Project.

If that's not acceptable to Red Hat, I fully understand.  There is no
doubt that this account increases the risk of compromise of Red Hat
proprietary information and the integrity of the machine.  

It's fine if some of the cronjobs run somewhere else.  But, we really
do need direct access to the machine.  For example, we have to be able
to manipulate the FTP site as well, and, sometimes, perform direct
surgery on the CVS repository.

If that risk isn't acceptable to Red Hat, that's perfectly
understandable.  In that case, though, we should probably move the GCC
repository to a machine that doesn't have the same risk profile.

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Christopher Faylor]

On Thu, Feb 15, 2001 at 09:23:21PM -0800, Mark Mitchell wrote:
>>>>>> "Jason" == Jason Molenda <jason@molenda.com> writes:
>
>    Jason> On Thu, Feb 15, 2001 at 10:10:19PM -0500, Chris Faylor
>    Jason> wrote:
>
>    >> I've set this account up but this could possibly be
>    >> retroactively vetoed by the other overseers if they see this as
>    >> a security risk.
>
>    Jason> As an interested bystander I'm just throwing in my two
>    Jason> cents, but I think that giving ~70 people login access is
>
>Sure.  That's why I suggested (after the fact) that we could use just
>the SC membership.  I think that's fine.
>
>FWIW, I've announced the existence of this account to the SC -- but
>not to the general GCC mainatinership.  If someone just removes the
>non-SC people from authorized_keys, we'll be all set.

Ok.  I have just added, to authorized_keys, *just* the SC members from
the list at gcc.gnu.org, along with myself, Tom Tromey, and Joseph S.
Myers.

Some of the steering committe members didn't seem to have accounts on
gcc.gnu.org, though:

Joe Buck, Torbjorn Granlund, Joel Sherrill

Jim Wilson didn't have an ssh authorized_keys file.

If I've somehow missed someone it should be easy for anyone who can now
login to the account to add them to authorized_keys.

cgf

Re: GCC maintainer account

[Andrew Cagney]

Chris Faylor wrote:

> I've set this account up but this could possibly be retroactively vetoed
> by the other overseers if they see this as a security risk.

If I've the right of veto then I'd like to veto this move.  It is a
serious security risk :-(  It scares the crap out of me.

I think the obvious thing to do is to kick this stuff (especially all my
GDB cronjobs :-) off of that machine and onto a second machine that, by
its nature, is assumed to be compromised.

Given that probably won't happen, could you please look at alternatives.

Jeff suggested a common account for a select set of users.  Going down
that path, you could even set up a separate CVS repository and put the
crontab entry in that.  Installing a crontab from a script is pretty
easy. (I should note this still isn't very secure as the obvious thing
to put in a crontab is `cp ~ftp/incomming/xyz ~/.ssh/authorize_keys`.)

Another possability is some sort of chrooted environment.  Anyway, there
must be HOWTOs  somewhere that give hints on how to set this up.

enjoy,
	Andrew
;

Re: GCC maintainer account

[Alexandre Oliva]

On Feb 16, 2001, Christopher Faylor <cgf@redhat.com> wrote:

> I don't think that group access allows modification of crontab.

This is easy to address: a crontab entry that reads a file, compares
it with the installed crontab, and updates it if they differ.

-- 
Alexandre Oliva   Enjoy Guarana', see http://www.ic.unicamp.br/~oliva/
Red Hat GCC Developer                  aoliva@{cygnus.com, redhat.com}
CS PhD student at IC-Unicamp        oliva@{lsd.ic.unicamp.br, gnu.org}
Free Software Evangelist    *Please* write to mailing lists, not to me

GCC maintainer account

[Mark Mitchell]

Would one of you be willing to set up an account that allows any GCC
maintainer to log into gcc.gnu.org?

This account would be used to run cronjobs, etc., that all the GCC
maintainers might need to modify.  At present, this stuff runs out of
individual people's home directories, and there is no way for another
maintainer to modify it.  And some of us do not even have login
accounts on gcc.gnu.org.

This idea could be realized by simply putting all of the GCC
maintainers public keys together into .ssh/authorized_keys for this
account.

Thanks in advance,

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Tom Tromey]

Mark> If that's not acceptable to Red Hat, I fully understand.  There
Mark> is no doubt that this account increases the risk of compromise
Mark> of Red Hat proprietary information and the integrity of the
Mark> machine.

Maybe I'm naive, but I'm not too concerned about this.

I think sources is fairly well separated from the rest of the internal
network.  If not, then that is a problem for Red Hat IS.

Also, there should never be any Red Hat confidential information
anywhere on this machine.


I agree that having a large number of people with login access is
dangerous.  However, there is a balance to be made between security
and utility.  I do think the gcc maintainers need this account.  We
just ask that they be responsible when using it.  My guess is that the
people on the Gcc steering committee are fairly responsible (though
maybe I can only say that since I'm not on the mailing list :-).

Tom

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:

    Chris> I've set this account up but this could possibly be
    Chris> retroactively vetoed by the other overseers if they see
    Chris> this as a security risk.

Actually, it doesn't work for me.  (Am I an idiot?)

  bash$ slogin gcc.gnu.org -l gccadmin
  Permission denied.
  bash$ slogin gcc.gnu.org -l mmitchel
  E cvs [server aborted]: received interrupt signal

Is there anything in the log files?

Thanks,

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Mark Mitchell]

>>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:

    Chris> I've set this account up but this could possibly be
    Chris> retroactively vetoed by the other overseers if they see
    Chris> this as a security risk.

Understood.  If necessary, we can go to a compromise situation where
only, say, steering committee members have accesss.  In fact, if you
prefer that, you could go ahead and make that change now.

Thanks very much for the quick response.

--
Mark Mitchell                   mark@codesourcery.com
CodeSourcery, LLC               http://www.codesourcery.com

Re: GCC maintainer account

[Jeffrey A Law]

  In message < 20010215192723I.mitchell@codesourcery.com >you write:
  > >>>>> "Chris" == Chris Faylor <cgf@redhat.com> writes:
  > 
  >     Chris> I've set this account up but this could possibly be
  >     Chris> retroactively vetoed by the other overseers if they see
  >     Chris> this as a security risk.
  > 
  > Understood.  If necessary, we can go to a compromise situation where
  > only, say, steering committee members have accesss.  In fact, if you
  > prefer that, you could go ahead and make that change now.
I think the best thing to do will be to add keys for GCC folks to that
account on an as-needed basis.

It's certainly a step forward from having so much stuff rely on personal
accounts (like mine).

Jeff