[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: differenting cvs users privileges

From: Mark
Subject: Re: differenting cvs users privileges
Date: Sat, 23 Jun 2001 19:05:14 -0700 (PDT)

--- Imre Oolberg <address@hidden> wrote:

> So all files will be strictly owned by this UNIX user cvs. The home
> directory of this user is obvious a place to put under all the
> repositories. Repository corresponds in this setup to a project. And
> /home/cvs could be given 700 rights. So no-one can  enter from inside the
> UNIX machine but UNIX cvs-users.

The repositories do not need to be placed under the home directory (the psuedo
user need not even have a home directory). You might want the repository on a
file system that is not shared to the network.

If you lock it down that tight, other things like CVSWeb might not work. 775 is
fine if you control the cvs account and restrict access in the group, thus
requiring people to use pserver to gain any write access to the repository
(thus basically providing the same level of security of 700).

> Please comment on running cvs pserver this way, i am sure i missed here
> something which may turn out like security flaw ...

Besides sending cleartext passwords over the network, the only other thing I
have seen on the list is the Checkin.prog and Update.prog security holes. The
security hole with the .prog can be fixed by commenting two lines in server.c.
Search the achives for more info on this patch/fix/hack.

> PPS One last thing, please tell me how to use exactly external file
> instead putting the --allow-root=/repository into /etc/inetd.conf
> I tried like this, but it didne work for me :(
> /etc/inetd.conf:
> <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
> cvspserver     stream      tcp      nowait  root  /etc/repos   pserver
> /etc/repos:
> #!/bin/sh exec /usr/bin/cvs cvs --allow-root=/home/cvs/repos $1

(I am going from memory with these examples and its late and I'm tired)

cvspserver  stream  tcp  nowait  cvs /home/cvs/callcvs callcvs

/home/cvs/callcvs (all one line of course):
#!/bin/sh exec /usr/bin/cvs cvs -f --allow-root=/cvsroot/proj1
--allow-root=/cvsroot/proj1 pserver


Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail

reply via email to

[Prev in Thread] Current Thread [Next in Thread]