Re: Problem with admin privileges

[Todd Denniston]

Julian Opificius wrote:
> 
<SNIP>
> I have one more issue that affects my choice that I should have
> mentioned earlier. We are working in an FAA-regulated environment, and
> my CVS respository must be secure, in that nobody can impair the
> lifecycle data, and all accesses must be documented and controlled,
> i.e.e all accesses must be via the cvs server. This is why I chose
> pserver in the first place.
> 
> How can I maintain this level of integrity without pserver: keeping the
> repository itself inaccessible, while allowing write access through cvs?

If you search the list[1] and some of the howtos you should be able to
figure out how to set ssh so that the users can only execute one command on
the server, that command is 'cvs'.  If you are already giving them SSH
access to the machine, to then run pserver, you have less accountability
(and/or authentication [I can never remember which]) than if you were just
giving them SSH (with no restrictions on commands), because all logs show
the cvs user they are mapped to instead of the real user name (look for some
of Greg A. Woods posts[2] on these matters).



[1] http://lists.gnu.org/archive/html/info-cvs/
A promising hit is
http://lists.gnu.org/archive/html/info-cvs/2003-09/msg00203.html

[2]
http://lists.gnu.org/archive/cgi-bin/namazu.cgi?query=woods+AND+ssh+AND+pserver&idxname=info-cvs&max=20&result=normal&sort=score
-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane) 
Harnessing the Power of Technology for the Warfighter