[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problem with admin privileges

From: Julian Opificius
Subject: Re: Problem with admin privileges
Date: Tue, 05 Jul 2005 15:49:30 -0500
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Todd Denniston wrote:

Big question: What do you think using :pserver: at this point, gain you and
your users over just :ext: over ssh?
Because they already have (and will continue to have) valid system shell
login, from here it only looks like more admin trouble to setup and maintain
pserver, plus it probably reduces the authentication or authorization you
had from the ssh and system level, especially when a new pserver hole comes

How does a hole in pserver reduce security? Is ssh protecting me or not? I realize that all security is additive, but pserver would seem to be no more than paint on the wall of ssh, meaning that if ssh goes down, pserver won't help, but then again it won't hinder either.

I have solved most of my admin problem by running admin users as their
themselves using $CVSROOT/CVSROOT/passwd entries like this:
rather than as the global cvs user:


Why use the $CVSROOT/CVSROOT/passwd at all, just use the system
authentication fallback, it SHOULD make your life easier because only the
system level auth files need scrubbed when someone leaves not the system
level AND all the cvs repos.

The only reason I am using pserver is that it allows my users to have CVAS controlled access to the respositories without giving them dierct write access to them. If you can suggest another way of doing that, I'd be glad to use it.

From a security perspective, my understanding is that ssh gives me adequate protection from invasion from the outside world, (ssh is the only port mapped through NAT to the server) and I have not yet identified a need to protect my data from malicious intent from inside, so I'm not really sure what the risks of pserver over ssh really are.

As a final disclaimer: I'm an embedded software engineering manager, not a network guru, and the network is a means to an end, not a reason to live, so if I'm missing something, please feel free to snicker and roll your eyes - as long as you then enlighten me as to what I "should" be doing ;-)



reply via email to

[Prev in Thread] Current Thread [Next in Thread]