[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: differenting cvs users privileges

From: Imre Oolberg
Subject: Re: differenting cvs users privileges
Date: Sun, 24 Jun 2001 02:00:21 +0200 (EET)

Hi again!

I did some more investigation and found out that some security-conscious
people run pserver as unprivileged UNIX system user.

As simply as putting into /etc/inetd.conf something like

cvspserver stream tcp nowait cvs /usr/bin/cvs cvs -f \
--allow-root=/home/cvs/proj1-repository \
--allow-root=/home/cvs/proj2-repository \
... \

So all files will be strictly owned by this UNIX user cvs. The home
directory of this user is obvious a place to put under all the
repositories. Repository corresponds in this setup to a project. And
/home/cvs could be given 700 rights. So no-one can  enter from inside the
UNIX machine but UNIX cvs-users.

With each repositories CVSROOT/passwd file could be controlled what
CVS users could access their specific repository. Like


And no messing around with file and directory permissions inside the CVS
repository and other surgerie!

And it seems it works indeed!

Please comment on running cvs pserver this way, i am sure i missed here
something which may turn out like security flaw ...

And last but not least, will pserver be running in further cvs versions
also like undocumented in the

Best Regards, Imre


I think i can tolerate assumtion that inside a project ie repository
CVS users of that repository should trust one-another. And there could be
used cvsauth mechanics.

PPS One last thing, please tell me how to use exactly external file
instead putting the --allow-root=/repository into /etc/inetd.conf

I tried like this, but it didne work for me :(

<service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
cvspserver     stream      tcp      nowait  root  /etc/repos   pserver


#!/bin/sh exec /usr/bin/cvs cvs --allow-root=/home/cvs/repos $1

reply via email to

[Prev in Thread] Current Thread [Next in Thread]