[distcc] Restrict Distcc over SSH (command parameter)
Martin Pool
mbp at sourcefrog.net
Mon Nov 17 11:51:47 MST 2014
Hi, Sebastian,
I don't recall the exact command, but it's probably going to be `distccd
--inet ...something...`. You might be able to see it in the distcc verbose
log.
Being able to restrict the command would be good.
However the main problem with this approach is that distccd in turn
executes a client-supplied command, and it at the moment doesn't have a way
to limit that.
Two complementary things we could do:
- run distcc within a chroot/container that contains only the compiler -
ideally, provide a reusable way for other people to set this up - at least
documentation, maybe a script
- give distccd restrictions on what commands it can run
On Sun Nov 09 2014 at 7:29:12 AM Sebastian Wieseler <
sebastian at nanofortnight.org> wrote:
> Hello Distcc List,
>
> I followed the guide http://wiki.gentoo.org/wiki/Distcc to get Distcc to
> work with SSH.
> That should work as followed:
> /usr/bin/distcc-config --set-hosts "@test1"
>
> I just wondering how to limit the portage user to get a real SSH shell on
> the "compiling box".
> There should be a way with the .authorized_keys and the command="…"
> parameter for the SSH key.
>
> What command will be exactly executed on the remote host within the distcc
> call?
> To just specify command="/usr/bin/distcc" does not work for example.
>
> Is there a way to make this even more secure? I couldn't find any
> information on this on the web.
> Thanks for helping.
>
> Best Regards,
> Sebastian 'kickino'
> --
> ,= ,-_-. =. /"\
> ((_/)o o(\_)) \ / ASCII Ribbon Campaign
> `-'(. .)`-' && X against HTML e-mail
> \_/ / \
>
>
> __
> distcc mailing list http://distcc.samba.org/
> To unsubscribe or change options:
> https://lists.samba.org/mailman/listinfo/distcc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/distcc/attachments/20141117/4bced9a0/attachment.html>
More information about the distcc
mailing list