|
From: | Phil R Lawrence |
Subject: | Re: Security, audits and pserver |
Date: | Thu, 12 Dec 2002 14:54:53 -0500 |
User-agent: | Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 |
CHARLES HART, BLOOMBERG/ 499 PARK wrote:
um, I'm a newbie at CVS, so I've read more of the documentation than anything else, but the answers I've seen so far for the security question seem to have missed one vital point. People have write access to spots in the repository, therefore they, just like CVS, can write as they please to the ,v files. That means that there is no guarentee that the history that is present in the repository reflects the actual events in history. This hole, even if it is not exploited in an organization because everybody is "good", is still a hole, and won't pass an audit. What I'll be testing next week, is a CVS server where no "users" exist in /etc/passwd, and all access rights are granted through pserver mapping CVS user IDs to security accounts. The admin can still bypass audit controls, but that's better than having my 1,000 users being enabled to. -CTH
what about this: 1. I set up cvs-admin as a user in /etc/passwd 2. I set up these groups in etc/group: cvs-admin cvs-devel (all developers are members, this group owns LockDir, etc) cvs-devel-foo (no one is a member) cvs-devel-bar (no one is a member) cvs-devel-baz (no one is a member) 3. then I make CVSROOT (/usr/local/cvs) look like this: drwxrwsr-x 3 root cvs-admin 4096 Dec 12 14:17 . drwxr-xr-x 15 root root 4096 Dec 12 13:49 .. drwxrwsr-x 3 cvs-admin cvs-admin 4096 Dec 12 14:17 CVSROOT drwxrwsr-x 3 cvs-admin cvs-devel-foo 4096 Dec 12 14:17 foo drwxrwsr-x 3 cvs-admin cvs-devel-bar 4096 Dec 12 14:17 bar drwxrwsr-x 3 cvs-admin cvs-devel-baz 4096 Dec 12 14:17 bazThen, any user on the system can see the files, but there are no members of cvs-devel-foo, etc., so no one can modify.
Then I set up CVSROOT/passwd to map actual developer ids from /etc/passwd to the cvs-devel-foo groups.
Will cvs then allow the local developers to check-in, out, etc, via the mappings in CVSROOT/passwd, even though I'm not running pserver?
-Phil
[Prev in Thread] | Current Thread | [Next in Thread] |