savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-help-public] Access to Savannah thru http?

From: Sylvain Beucler
Subject: Re: [Savannah-help-public] Access to Savannah thru http?
Date: Sun, 13 Feb 2005 20:37:43 +0100
User-agent: Mutt/1.4.2.1i 
First of all, it would be interesting to look at a similar issue:
https://gna.org/forum/forum.php?forum_id=176

---
Some sysadmins, by mistake, tend to think that blocking outbound ports is an 
interesting security measure. It is not a security measure, it's a political 
one. Solving the political problem can be very important. And on the average, 
counterfeiting stupid firewalls with odd usages of the Internet has never been 
rewarding, on the contrary.

However, we would not like to put Free Software developers in a dead-end 
because of this issue.

We do allow SSH access on the port 443, usually dedicated to https, on 
cvs.gna.org, download.gna.org and arch.gna.org.

We may at a later point remove that possibility, if we need to. This is not a 
good way to go, it must be considered as a temporary solution, a dirty 
workaround. The way to go is clearly to solve the political problem.

The way to go is definitely to get the firewall configured properly. Sysadmin 
are supposed to be here to help you to get things done, not the contrary.
---

(Note that the university and the engineer school where I went do not
have such outgoing traffic restrictions)

If it is just a matter of port number, and if we have a spare IP at
gnu.org, I think we could provide a similar way to do the
job. However, this should be documented as a non-natural way to do the
job, and encourage people to get their university to change their
policy.

If however the university is paranoid enough to check that outgoing
traffic is well HTTP traffic, then this solution won't work. In this
case, this would require to work on and maintain a non-standard way to
provide the access, which we disagree with, and would also cause more
load to Savannah, that really doesn't need this.

In particular, doing a CGI interface is leading to security issues:
the CGI needs to be suid so as to setuid to the user's id, and I think
Apache would need to be modified to allow this.

-- 
Sylvain Beucler and Michael Flickinger


On Sun, Feb 13, 2005 at 07:38:58AM -0500, Richard Stallman wrote:
>     I am not very familiar with the problem. I think we need to have
>     listening daemon listening on port 80 at Savannah, that would redirect
>     the traffic to the appropriate port, with or without encapsulation in
>     HTTP from the client.
> 
> Would it be possible to have a page that accepts input from a
> logged-in user and carries out a CVS command?  We would need a
> suitable CVS communication agent that dresses up a command in this
> format so that it can be sent to Apache.
> 
> Another way to think of this is as a CGI front-end for CVS.
> 
>     You could make it a virtual interface.  That's extremely simple to do; I
>     do it all the time to allow different HTTPS addresses with different
>     SSL certificates to be hosted by the same Apache server.
> 
> If that method works and is convenient, I have nothing against it.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]