Steve Litt wrote on 05/06/18 05:34:
Hi all,Timing is everything. I was about to put my Stylz project on GitHub. No more. GitLab's a maybe, but unexpected bad stuff happens in Open Source too: systemd, Caldera going to the dark side, etc. My understanding, from reading man pages of a very few git commands, is that git comes with a server to serve out read-only access to my repository. And for those few with push/commit/branch rights, I can give them ssh logins, key access only. 1) Can I put the preceding in a sandbox from which limited harm can be done? 2) Can I enforce that those keys must have passwords? Passwords of a certain length and quality? 3) What security precautions must I take if this is on my daily driver desktop?
I'd suggest using a qemu VM on a pair of raw disk files, with nfs mounted repository tree, and sshd_config set up to disallow empty passwords. The VM would be set up such the one holds all software and configuration, and the other anything dynamic, so as to allow the one disk file to be read-only "in production".
Furter, you'd make the networking pass through the host, so you can configure a highly restrictive firewall around the VM, e.g. disallowing all TCP connections other than inbound ssh, and all UDP traffic other than DNS.
Ralph. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
