[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "gserver currently only enabled for socket connections"

From: Brandon Craig Rhodes
Subject: Re: "gserver currently only enabled for socket connections"
Date: 27 Jun 2002 17:00:43 -0400
User-agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Common Lisp)

address@hidden (Larry Jones) writes:

> Have you tried running the current development release to ensure
> that it really does fix the problem?

The current development version fixes the problem.

> There don't seem to be many users of gserver (prior to your bug
> report I'd have said there don't seem to be *any* users), so it
> hasn't been a priority.

We wanted secure connections without having to create logins on our
server for our CVS users.  If the :gserver: method paid any attention
to the CVS `passwd' file then we maybe could have used the third field
to map every user on to the `cvs' account, but the :gserver: method in
fact ignores the `passwd' file - and indeed must, since the :gserver:
protocol does not provide the repository name until after the user has

In support of this method we have implemented two changes which may be
of general interest; I will probably post them after they are tested:

  - In our modified CVS, gserver_authenticate_connection(...), instead
    of calling switch_to_user(...) to assume another uid, which would
    require our server to run as root, sets the `CVS_Username' global
    variable so that the user's name will be checked against the
    `readers' and `writers' files.

  - Since the `readers' and `writers' files cannot be used to restrict
    read access, we changed the rules and also simplified them: users
    listed in `writers' can read and write; users in `readers' can
    read; and users in neither lack all access.  This was necessary so
    the thousands of users in our Kerberos database would not be given
    automatic read access.

Let me know if others are interested in these changes; both seemed
necessary to us to feel that we were running a secure service without
having to grant separate account access on our cvs server.

Brandon Craig Rhodes               
Georgia Tech                                            address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]