Why we don't give shell access at perl.org


Over at perl.org we generally don't give anyone shell access for any reason, but instead make people upload files and update sites with Subversion or WebDAV. It might be a bit more hassle for the contributors, but as the not so recent "incident" at the FSF shows, it's a mighty good idea. They got hacked by a local user in march (!) and just found out a few weeks ago.

We might still expose a vulnerability somehow some day (knock on wood), but with fewer people having local access, it's much less likely.

It's also a reminder why signing releases would be a good idea.


Giving shell access is always risky. I like to use something like scponly so people can use scp but not log in.


Signing releases -- note that PAUSE automatically keeps MD5 checksums of uploads (the CHECKSUMS file in authors' directories).

Signing releases again -- note that GPG-signing is much easier to verify safely than md5sums, since md5sums are either (a) stored alongside the distributed file and therefore compromisable there too, or (b) posted separately (and which user will dig out the release announcement to check the sums match?). With GPG, an attacker would have to get hold of the secret key for that pubkey too.

Bjorn. I have an interest in security. My sister does not know this stuff, and she worked wit DOS in '81.


Leave a comment

About this Entry

This page contains a single entry by Ask Bjørn Hansen published on August 16, 2003 11:59 AM.

Find recent content on the main index or look in the archives to find all content.


OpenID accepted here Learn more about OpenID
Powered by Movable Type 4.33-en
/* bf */