[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security, audits and pserver
|
From: |
CHARLES HART, BLOOMBERG/ 499 PARK |
|
Subject: |
Re: Security, audits and pserver |
|
Date: |
Thu, 12 Dec 2002 12:33:27 -0500 (EST) |
um, I'm a newbie at CVS, so I've read more of the documentation than anything
else, but the answers I've seen so far for the security question seem to have
missed one vital point. People have write access to spots in the repository,
therefore they, just like CVS, can write as they please to the ,v files. That
means that there is no guarentee that the history that is present in the
repository reflects the actual events in history. This hole, even if it is not
exploited in an organization because everybody is "good", is still a hole, and
won't pass an audit. What I'll be testing next week, is a CVS server where no
"users" exist in /etc/passwd, and all access rights are granted through pserver
mapping CVS user IDs to security accounts. The admin can still bypass audit
controls, but that's better than having my 1,000 users being enabled to. -CTH
- Re: Security, audits and pserver,
CHARLES HART, BLOOMBERG/ 499 PARK <=
Re: Security, audits and pserver, Phil R Lawrence, 2002/12/12