[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [672] update after disabling SFTP
|
From: |
ineiev |
|
Subject: |
[Savannah-cvs] [672] update after disabling SFTP |
|
Date: |
Mon, 27 Nov 2023 04:54:02 -0500 (EST) |
Revision: 672
http://svn.savannah.gnu.org/viewvc/?view=rev&root=administration&revision=672
Author: ineiev
Date: 2023-11-27 04:54:00 -0500 (Mon, 27 Nov 2023)
Log Message:
-----------
update after disabling SFTP
Modified Paths:
--------------
trunk/sviki/Architecture.png
trunk/sviki/Architecture.svg
trunk/sviki/DownloadArea.mdwn
trunk/sviki/GNUArch.mdwn
trunk/sviki/GnuArchitecture.mdwn
trunk/sviki/JustSFTP.mdwn
trunk/sviki/MailSystem.mdwn
trunk/sviki/SavannahHackingIdeas.mdwn
trunk/sviki/SavannahServices.mdwn
trunk/sviki/SharedDownloadArea.mdwn
Modified: trunk/sviki/Architecture.png
===================================================================
(Binary files differ)
Modified: trunk/sviki/Architecture.svg
===================================================================
--- trunk/sviki/Architecture.svg 2023-11-27 09:53:10 UTC (rev 671)
+++ trunk/sviki/Architecture.svg 2023-11-27 09:54:00 UTC (rev 672)
@@ -204,15 +204,15 @@
d = "M 340,55 360,40 h 165"
stroke = "#006600" stroke-width = "2px" fill = "none"
marker-start = "url(#green-tail)"
- id = "download-sftp-link" />
+ id = "download-scp-link" />
<text
x = "530" y = "33"
text-anchor = "start" fill = "#006600" font-size = "14px"
- >group member upload</text>
+ >group member</text>
<text
x = "530" y = "48"
text-anchor = "start" fill = "#006600" font-size = "14px"
- >(SCP, SFTP)</text>
+ >upload (SCP)</text>
<path
d = "M 530,64 370,70"
stroke = "#000000" stroke-width = "1px" fill = "none"
Modified: trunk/sviki/DownloadArea.mdwn
===================================================================
--- trunk/sviki/DownloadArea.mdwn 2023-11-27 09:53:10 UTC (rev 671)
+++ trunk/sviki/DownloadArea.mdwn 2023-11-27 09:54:00 UTC (rev 672)
@@ -52,7 +52,7 @@
If you upload subdirectories, be sure to chmod a+rx them.
-For removing wrongly uploaded files, use sftp.
+For removing wrongly uploaded files and directories, use ssh rm and ssh rmdir.
OpenSSH 9.0 was released on 2022-04-08 and
switches the scp from using the legacy scp/rcp protocol to using SFTP
Modified: trunk/sviki/GNUArch.mdwn
===================================================================
--- trunk/sviki/GNUArch.mdwn 2023-11-27 09:53:10 UTC (rev 671)
+++ trunk/sviki/GNUArch.mdwn 2023-11-27 09:54:00 UTC (rev 672)
@@ -31,7 +31,7 @@
There used to be a naming convention where only one archive was created
at the top-level, but now since users did not follow it (to be able to
mirror existing archives, add several archives with different settings,
-etc.) we now give access with plain SFTP with no archives layout
+etc.) we now give access with plain RSYNC with no archives layout
whatsoever. This makes it more difficult to write tools to manage
archives (such as the [[ArchZoom]] archive registration above) but it's
far more convenient for users.
@@ -48,7 +48,7 @@
At a point we had a modified SSH server that allowed to send commit
notifications. Since GNU Arch is not meant to be used through an
intelligent server we disabled this and repositories are not accessed
-via a dumb, unmodified SFTP access. Old documentation:
+via a dumb, unmodified RSYNC access. Old documentation:
To setup commit notifications for a project, simply create a file in the
project's root archive named setup.conf. (ex: for the administration
Modified: trunk/sviki/GnuArchitecture.mdwn
===================================================================
--- trunk/sviki/GnuArchitecture.mdwn 2023-11-27 09:53:10 UTC (rev 671)
+++ trunk/sviki/GnuArchitecture.mdwn 2023-11-27 09:54:00 UTC (rev 672)
@@ -1,7 +1,7 @@
# Hosts of the GNU Project
- savannah: hosting Savane webui & trackers, VCSs (cvs, svn, git, hg,
- bzr - anonymous, shell and web accesses), downloads (http & sftp) -
+ bzr - anonymous, shell and web accesses), downloads (http & scp) -
cf. [[SavannahArchitecture]]
- savannah-backup: Savannah daily backup (accesses LVM snapshots for
consistency); DNS server for *.savannah.gnu.org
Modified: trunk/sviki/JustSFTP.mdwn
===================================================================
--- trunk/sviki/JustSFTP.mdwn 2023-11-27 09:53:10 UTC (rev 671)
+++ trunk/sviki/JustSFTP.mdwn 2023-11-27 09:54:00 UTC (rev 672)
@@ -11,3 +11,6 @@
- This may help supporting new SCMs, but this actually requires more
work than that, e.g. repository web viewers, or upgrading VCS
format, etc. Mature/stable SCMs require less time.
+
+- In 2023, we couldn't come up with any way to restrict SFTP access
+ to directories like /etc.
Modified: trunk/sviki/MailSystem.mdwn
===================================================================
--- trunk/sviki/MailSystem.mdwn 2023-11-27 09:53:10 UTC (rev 671)
+++ trunk/sviki/MailSystem.mdwn 2023-11-27 09:54:00 UTC (rev 672)
@@ -69,7 +69,7 @@
Alias tables are only updated on `internal'.
- (clearly stale info as we don't own the dom0 any more, but leaving
- for what it may be worth) frontend, sftp, vcs-noshell \_and\_ the
+ for what it may be worth) frontend, vcs-noshell \_and\_ the
host/dom0: an exim4 system is configured (see
infra/exim\_forwarder.txt):
Modified: trunk/sviki/SavannahHackingIdeas.mdwn
===================================================================
--- trunk/sviki/SavannahHackingIdeas.mdwn 2023-11-27 09:53:10 UTC (rev
671)
+++ trunk/sviki/SavannahHackingIdeas.mdwn 2023-11-27 09:54:00 UTC (rev
672)
@@ -146,11 +146,3 @@
34. Assign every new user a `uidNumber` automatically and get rid of
`sv_assign_uid_gid` script.
Search for `uidNumber` in [[UserAuthentication]] for details.
-35. Fix (re-enable) sftp access to 'download0'. SFTP access was disabled
- following a vulnerability report by Sylvain. SCP/RSYNC are the only
- methods allowed. The first step towards enabling SFTP is to fix
- the vcs/download NFS mounting issues (need FSF-admin help), then
- setup a proper chroot.
- See [message from
Bob](https://lists.gnu.org/archive/html/savannah-hackers-public/2017-03/msg00047.html),
- [sr#109321](https://savannah.gnu.org/support/?109283) and
- [sr#109321](http://savannah.gnu.org/support/?109321).
Modified: trunk/sviki/SavannahServices.mdwn
===================================================================
--- trunk/sviki/SavannahServices.mdwn 2023-11-27 09:53:10 UTC (rev 671)
+++ trunk/sviki/SavannahServices.mdwn 2023-11-27 09:54:00 UTC (rev 672)
@@ -210,12 +210,27 @@
- Download a file using ssh public key + Savannah User:
`rsync -avhP <USER>@download.savannah.gnu.org:/releases/<GROUP>/<FILE>
LOCALFILE`
- Uploading a file (only to groups in which USER is a member):
- `rsync -avhP LOCALFILE
<USER>@download.savannah.gnu.org/srv/download/<GROUP>/<FILE>`
+ `rsync -avhP LOCALFILE
<USER>@download.savannah.gnu.org:/srv/download/<GROUP>/<FILE>`
+ Doesn't work as of 2023-11-27, use scp instead.
-- sftp access
- - `sftp <USER>@download.savannah.gnu.org`
+- ssh access using SSH public keys registered in USER account
+ `ssh <USER>@download.savannah.gnu.org <COMMAND>`
+ where COMMAND is selected from limited set including
+ - Removing a file (only from groups in which USER is a member):
+ `ssh <USER>@download.savannah.gnu.org rm /srv/download/<GROUP>/<FILE>`
+ - Removing an empty directory (only from groups in which USER is a member):
+ `ssh <USER>@download.savannah.gnu.org rmdir /srv/download/<GROUP>/<DIR>`
+- scp access using SSH public keys registered in USER account
+ - Download a file:
+ `scp <USER>@download.savannah.gnu.org:/srv/download/<GROUP>/<FILE>
LOCALFILE`
+ - Upload a file (only to groups in which USER is a member):
+ `scp LOCALFILE
<USER>@download.savannah.gnu.org:/srv/download/<GROUP>/<FILE>`
+- sftp access (disabled in 2023-11-27)
+ - was: `sftp <USER>@download.savannah.gnu.org`
+
+
## internal
The `internal0.savannah.gnu.org` VM runs the Savannah database (mysql).
@@ -275,7 +290,7 @@
- rsync configuration in `lists:/etc/rsyncd.conf`:
- Publishes module `mbox`, served from `lists:/arc/mharc-mbox`
- To list available archives: `rsync rsync://lists.gnu.org/mbox/`
- - To download full archive of one mailing list:
+ - To download full archive of one mailing list:
`rsync -avhP rsync://lists.gnu.org/mbox/bug-texinfo .`
[[Spam handling|ListHelperAntiSpam]] is a whole subject in itself.
Modified: trunk/sviki/SharedDownloadArea.mdwn
===================================================================
--- trunk/sviki/SharedDownloadArea.mdwn 2023-11-27 09:53:10 UTC (rev 671)
+++ trunk/sviki/SharedDownloadArea.mdwn 2023-11-27 09:54:00 UTC (rev 672)
@@ -7,44 +7,15 @@
Savannah is specially configured for this task: the download areas carry
the 'setgid' bit (`chmod g+s`) so that newly created directories belong
-to your project group. Moreover, the default umask for all SSH sessions
+to your group. Moreover, the default umask for all SSH sessions
is 002, which means members of your group will have write access to the
files and directories you create.
-Unfortunately, tools like `scp` and `sftp` do not always respect this:
+Unfortunately, tools like `scp` do not always respect this:
> - new files sent via scp get the original file's permissions ([sr
> \#105830](https://savannah.gnu.org/support/?105830))
-> - sftp breaks the setgid bit (chmod's mode is AND'd `0777`) ([sr
-> \#105838](https://savannah.gnu.org/support/?105838) )
-How to set permissions
-----------------------
-
-First, vote for this [sftp
-bug](http://bugzilla.mindrot.org/show_bug.cgi?id=1310):)
-
-The simplest way is to correctly chmod your files before upload:
-
-- mode `664` (or `ug=rw,o=r`) for files
-- mode `2755` (`ug=rwx,g+s,o=rx`) for directories
-
-Always remember to give group write access, so other members of your
-team can also manage the download area. Make sure the group is your
-project, not `svusers`, otherwise all Savannah members can alter your
-files.
-
-One simple way to manage the download area is to maintain a local copy
-on your computer, synchronize it using rsync:
-
- local$ cd /tmp
- local$ mkdir -m 2775 mydir
- local$ scp -rp mydir me@dl.sv.gnu.org:/releases/myproject/
- # or
- local$ rsync -a mydir/ me@dl.sv.gnu.org:/releases/myproject/mydir/
- # or (shorter)
- local$ rsync -a mydir me@dl.sv.gnu.org:/releases/myproject/
-
How to fix permissions for existing files
-----------------------------------------
@@ -52,31 +23,14 @@
by downloading the whole download area, and uploading only the fixed
directories:
- mkdir myproject_da
- scp -r erk@dl.sv.nongnu.org:/releases/myproject myproject_da
- # myproject_da contains 'myproject/'
- mkdir myproject_dironly
- cd myproject/
- find . -type d -exec mkdir ../myproject_dironly/{} \;
- cd myproject_dironly/
+ mkdir mygroup_da
+ scp -r erk@dl.sv.nongnu.org:/releases/mygroup mygroup_da
+ # mygroup_da contains 'mygroup/'
+ mkdir mygroup_dironly
+ cd mygroup/
+ find . -type d -exec mkdir ../mygroup_dironly/{} \;
+ cd mygroup_dironly/
chmod -R g+ws .
- scp -rp myproject erk@dl.sv.nongnu.org:/releases/
+ scp -rp mygroup erk@dl.sv.nongnu.org:/releases/
This doesn't fix the directories group though.
-
-To change a file group, you need to use the numerical id. Example, to
-change 'administration' to 'savane-cleanup':
-
- sftp> ls -l
- -rw-r--r-- 1 Beuc administration 6497801 Jun 24 18:14
savane-3.1-zeta.tar.gz
- drwxrwsr-x 2 Beuc savane-cleanup 4096 Jun 25 08:53 test-install
- sftp> ls -ln
- -rw-r--r-- 0 68632 5038 6497801 Jun 24 20:14
savane-3.1-zeta.tar.gz
- drwxrwsr-x 0 68632 6870 4096 Jun 25 10:53 test-install
- sftp> chgrp savane-cleanup savane-3.1-zeta.tar.gz
- You must supply a numeric argument to the chgrp command.
- sftp> chgrp 6870 savane-3.1-zeta.tar.gz
- Changing group on /srv/download/savane-cleanup/savane-3.1-zeta.tar.gz
- sftp> ls -l
- -rw-r--r-- 1 Beuc savane-cleanup 6497801 Jun 24 18:14
savane-3.1-zeta.tar.gz
- drwxrwsr-x 2 Beuc savane-cleanup 4096 Jun 25 08:53 test-install
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-cvs] [672] update after disabling SFTP,
ineiev <=