[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cvs on unix simple security issue

From: Todd Denniston
Subject: Re: cvs on unix simple security issue
Date: Tue, 07 Mar 2006 15:28:14 -0500
User-agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929)

address@hidden wrote:
Hello. self proclaimed CVS noob here

we have this repository root located under  /aps/cvs/CVSROOT and we
maintain software under directories like this


I've discovered that unix users on the can remove cvs versioning
formation by simply doing an rm under   /aps/cvs/aps/fire/jcl .. where
files like mysource,v exist.

However if I attempt to secure those directories, unix users can't
deploy to the repository.

Is there any way to secure the directories with the ",v" files  while
allowing unix users (developers) to deploy? Don't they need write to
those directories?

Thanks for any help or information.

0) get a good backup system implemented.
1) Have some one Write down the policy and get management approval for it,
        a) to remove software from a checkout do a
                `cvs rm file`; `cvs commit`
        b) anyone who, is not authorized, does a Unix rm|mv inside
                of the cvs repository will be disciplined appropriately.
        c) discipline sessions will continue until
                company property stops disappearing from the
                cvs repository.
2) Inform the developers of the policy.
3) have management implement the policy.
4) change from the current method of accessing the cvs server to ssh and limit the commands the user execute from the ssh session to CVS (search the web, others have done this and documented the procedure). Now you have authenticated and tracked logins that can be audited.
5) make sure the only way someone can log into the cvs server is with ssh.

pserver is most likely NOT your friend if you already have developers being destructive in the repository.

Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

reply via email to

[Prev in Thread] Current Thread [Next in Thread]