[distcc] Restrict Distcc over SSH (command parameter)

Martin Pool mbp at sourcefrog.net
Tue Nov 18 10:58:30 MST 2014


Thanks, Fergus. But how do those variables get set if it's invoked over ssh?

On Tue, Nov 18, 2014 at 1:15 AM, Fergus Henderson <fergus at google.com> wrote:

>
> On 17 Nov 2014 18:52, "Martin Pool" <mbp at sourcefrog.net> wrote:
> >
> > Hi, Sebastian,
> >
> > I don't recall the exact command, but it's probably going to be `distccd
> --inet ...something...`. You might be able to see it in the distcc verbose
> log.
> >
> > Being able to restrict the command would be good.
> >
> > However the main problem with this approach is that distccd in turn
> executes a client-supplied command, and it at the moment doesn't have a way
> to limit that.
>
> Actually we do have a way to limit that, via commands.allow.sh which is
> executed by /etc/init.d/distccd and which sets environment variables used
> by distccd.
>
> See the following extract from the distccd man page:
>
> -----
> *ENVIRONMENT VARIABLES*
>
> *DISTCC_**CMDLIST*
> If the environment variable DISTCC_CMDLIST is set, load a list of
> supported commands from the file named by DISTCC_CMDLIST, and refuse to
> serve any command whose last DISTCC_CMDLIST_MATCHWORDS last words do not
> match those of a command in that list. See the comments in src/serve.c.
>
> *DISTCC_**CMDLIST**_**NUMWORDS*
> The number of words, from the end of the command, to match. The default is
> 1.
> ----
>
> > Two complementary things we could do:
> > - run distcc within a chroot/container that contains only the compiler -
> ideally, provide a reusable way for other people to set this up - at least
> documentation, maybe a script
> > - give distccd restrictions on what commands it can run
> >
> >
> > On Sun Nov 09 2014 at 7:29:12 AM Sebastian Wieseler <
> sebastian at nanofortnight.org> wrote:
> >>
> >> Hello Distcc List,
> >>
> >> I followed the guide http://wiki.gentoo.org/wiki/Distcc to get Distcc
> to work with SSH.
> >> That should work as followed:
> >>         /usr/bin/distcc-config --set-hosts "@test1"
> >>
> >> I just wondering how to limit the portage user to get a real SSH shell
> on the "compiling box".
> >> There should be a way with the .authorized_keys and the command="…"
> parameter for the SSH key.
> >>
> >> What command will be exactly executed on the remote host within the
> distcc call?
> >> To just specify command="/usr/bin/distcc" does not work for example.
> >>
> >> Is there a way to make this even more secure? I couldn't find any
> information on this on the web.
> >> Thanks for helping.
> >>
> >> Best Regards,
> >> Sebastian 'kickino'
> >> --
> >>   ,= ,-_-. =.           /"\
> >>  ((_/)o o(\_))          \ /    ASCII Ribbon Campaign
> >>   `-'(. .)`-'   &&       X      against HTML e-mail
> >>       \_/               / \
> >>
> >>
> >> __
> >> distcc mailing list            http://distcc.samba.org/
> >> To unsubscribe or change options:
> >> https://lists.samba.org/mailman/listinfo/distcc
> >
> >
> > __
> > distcc mailing list            http://distcc.samba.org/
> > To unsubscribe or change options:
> > https://lists.samba.org/mailman/listinfo/distcc
>



-- 
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/distcc/attachments/20141118/de03e622/attachment.html>


More information about the distcc mailing list