[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: need to force username of cvs 'action' when using shared

From: Pierre Asselin
Subject: Re: Fw: need to force username of cvs 'action' when using shared
Date: Sun, 2 May 2004 21:12:15 -0400
User-agent: tin/1.4.4-20000803 ("Vet for the Insane") (UNIX) (Linux/2.2.19-7.0.1 (i586))

Larry Jones <address@hidden> wrote:

> What you're doing (using a single account for everyone) is what is
> compromising the tracking.  What you're asking for would completely
> compromise the tracking since it would allow absolutely anyone to commit
> changes whilst claiming to be anyone else they like.

Actually, Tim might be able to preseve accountability if he keeps full
control of the public keys.  Each private key allows one developer to run
exactly one command, which sets that developers environment variable and
execs "cvs server" (so I guess the developers also need to tweak their
CVS_SERVER variable at the client end).

But CVS doesn't have an environment variable to fake the userid.
Seems that Tim would have to hack CVS and get a copy installed on the
colocated server, in his private tree if necessary.  After that, he'd
better lock down the CVSROOT/ module, otherwise his developers could
manipulate the authorized_keys file through loginfo and other hooks.
What other holes are there?  Is it worth the trouble to chase them

reply via email to

[Prev in Thread] Current Thread [Next in Thread]