[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: gssapi pserver and --allow-root
From: |
Derek R. Price |
Subject: |
Re: gssapi pserver and --allow-root |
Date: |
Fri, 15 Jun 2001 13:58:05 -0400 |
"Dave Berger (CVS stuff)" wrote:
> With
>
> o CVS 1.11.1p1
> o Tru64 Unix 4.0F
> o "configure --with-gssapi" (using MIT Krb5 libs)
>
> I can't seem to get the --allow-root global option in inetd.conf
> to be enforced.
>
> Authenticating via Kerb5 and accessing the repos. works great,
> btw. The only trouble is, the client can specify any repos. path
> they want in the "-d cvsroot" string, as long as they have krb
> tickets (sets off my sysadmin warning bells...).
>
> I'm new to the CVS codebase, but it looks like I could get the
> behavior I want by putting a call to root_allow_ok() in server.c:
> gserver_authenticate_connection (). Is this correct (or is there
> a simpler way)?
Sounds like you found the trick, although it implies poor code factoring
between pserver_authenticate_connection
& gserver_authenticate_connection (gs... is called from ps...). Anyway,
I can't test from here, so if you can get it working, please submit the
patch to this list and I'll commit it if it looks good.
Derek
--
Derek Price CVS Solutions Architect ( http://CVSHome.org )
mailto:dprice@collab.net CollabNet ( http://collab.net )
--
Don't confuse me with the facts, my mind's already made up!