[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: doc on establishing pserver ...
|
From: |
Greg A. Woods |
|
Subject: |
Re: doc on establishing pserver ... |
|
Date: |
Thu, 28 Jun 2001 22:53:57 -0400 (EDT) |
[ On Thursday, June 28, 2001 at 17:44:35 (-0500), Jonathan M. Gilligan wrote: ]
> Subject: Re: doc on establishing pserver ...
>
> What you probably would like to do is to have a daemon running that calls
> cvs when requested to by a client, but isn't that just the same as what
> inetd does?
Indeed! (or more to the point what sshd effectively does)
Note also that the only savings of a standalone daemon would be the
relatively tiny extra overhead of the exec() call. This doesn't even
come close to balancing against the negatives here.
The problem with running as either a simple inetd daemon or as a stand
alone one is that CVS is also not designed with even a modicum of
attention to security. It expects only to run as the already authorised
user. A stand-alone daemon would be no more secure than the stupid
pserver crap (unless of course it incorperated great gobs of SSH and
other such stuff, and was audited with an extremely fine comb, and was
run only on systems that never ever allow a process to regain privilege,
etc., etc., etc., etc.).
The whole idea is pointless except for very very specific situations,
such as anonymous (read-only) access.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <address@hidden> <address@hidden>
Planix, Inc. <address@hidden>; Secrets of the Weird <address@hidden>