From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Cagney To: Chris Faylor Cc: Mark Mitchell , overseers@gcc.gnu.org Subject: Re: GCC maintainer account Date: Sat, 17 Feb 2001 10:45:00 -0000 Message-ID: <3A8DE3D8.97CBD65@cygnus.com> References: <20010215182455M.mitchell@codesourcery.com> <20010215213119.B14725@redhat.com> <20010215184752A.mitchell@codesourcery.com> <20010215221019.A14965@redhat.com> X-SW-Source: 2001-q1/msg00240.html Message-ID: <20010217104500.xSmeKkZGdHrlFcKXAn9UDpdp73K1UZwG4vUeaZj2Wbw@z> Chris Faylor wrote: > I've set this account up but this could possibly be retroactively vetoed > by the other overseers if they see this as a security risk. If I've the right of veto then I'd like to veto this move. It is a serious security risk :-( It scares the crap out of me. I think the obvious thing to do is to kick this stuff (especially all my GDB cronjobs :-) off of that machine and onto a second machine that, by its nature, is assumed to be compromised. Given that probably won't happen, could you please look at alternatives. Jeff suggested a common account for a select set of users. Going down that path, you could even set up a separate CVS repository and put the crontab entry in that. Installing a crontab from a script is pretty easy. (I should note this still isn't very secure as the obvious thing to put in a crontab is `cp ~ftp/incomming/xyz ~/.ssh/authorize_keys`.) Another possability is some sort of chrooted environment. Anyway, there must be HOWTOs somewhere that give hints on how to set this up. enjoy, Andrew ;