[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch: Add support for CVS_USER environment variable

From: Derek R. Price
Subject: Re: Patch: Add support for CVS_USER environment variable
Date: Thu, 26 Feb 2004 01:25:38 -0500
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

M.E.O'Neill wrote:

P.S. In my case, the specific application is actually a system where CVS_RSH is not ssh at all, but a cunning setuid script that handles authentication and then sets CVS_USER and runs the server. I wouldn't mind if CVS_USER only applied to cvs server incantations, but such a restriction wouldn't add any additional security.

If your script is so cunning, why can't it setuid to the username in question after authentication?

I am afraid that you may be right, however. I can't think of a good way to exploit your suggestion if it only works with `cvs server'. Of course, your patch doesn't implement this and would need documentation and test cases to be accepted. Please see the HACKING file in the top level of the CVS source distribution for more.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]