[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Manual] Security tip using pserver and non-root maintainer
|
From: |
Jeroen van Wolffelaar |
|
Subject: |
[Manual] Security tip using pserver and non-root maintainer |
|
Date: |
Sun, 4 Nov 2001 23:12:28 +0100 (CET) |
Hi,
In cvs_2.html documentation ('This document was generated by Eric
Gillespie Jr. on June, 14 2001 using texi2html'), section 2.9.3.1
('Setting up the server for password authentication') it says to add a
line to inetd.conf with user 'root'.
As explained in 2.9.3.3, this risks execution of any commands relatively
easily.
Often it's not possible to secure the CVSROOT/passwd file sufficiently.
As a 'solution', you can create a 'cvs' user, and put that user in your
inetd.conf. The pserver method will now only work if passwd system user
settings are cvs, and thus the worst thing that could happen is random
commands as user cvs, rather than root. This ensures that the worst
people with r/w access to $CVSROOT/CVSROOT (either by cvs or directly)
can fuck up is the repository itself.
This is particulary useful if there are non-root repository maintainers.
The root users just makes the inetd.conf change, creates a user and cvs
root directory, and then a non-root maintainer can manage the repositry
without compromising system security. (AFAIK)
--Jeroen
Jeroen van Wolffelaar
Jeroen@A-Eskwadraat.nl
http://www.A-Eskwadraat.nl/~jeroen
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Manual] Security tip using pserver and non-root maintainer,
Jeroen van Wolffelaar <=