[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gssapi pserver and --allow-root

From: Derek R. Price
Subject: Re: gssapi pserver and --allow-root
Date: Fri, 15 Jun 2001 13:58:05 -0400

"Dave Berger (CVS stuff)" wrote:

>   With
>  o  CVS 1.11.1p1
>  o  Tru64 Unix 4.0F
>  o  "configure --with-gssapi" (using MIT Krb5 libs)
>   I can't seem to get the --allow-root global option in inetd.conf
> to be enforced.
>   Authenticating via Kerb5 and accessing the repos. works great,
> btw.  The only trouble is, the client can specify any repos. path
> they want in the "-d cvsroot" string, as long as they have krb
> tickets (sets off my sysadmin warning bells...).
>   I'm new to the CVS codebase, but it looks like I could get the
> behavior I want by putting a call to root_allow_ok() in server.c:
> gserver_authenticate_connection ().  Is this correct (or is there
> a simpler way)?

Sounds like you found the trick, although it implies poor code factoring
between pserver_authenticate_connection
& gserver_authenticate_connection (gs... is called from ps...).  Anyway,
I can't test from here, so if you can get it working, please submit the
patch to this list and I'll commit it if it looks good.


Derek Price                      CVS Solutions Architect ( http://CVSHome.org )
mailto:dprice@collab.net         CollabNet ( http://collab.net )
Don't confuse me with the facts, my mind's already made up!

reply via email to

[Prev in Thread] Current Thread [Next in Thread]