[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server->pserver proxy?

From: Todd Denniston
Subject: Re: server->pserver proxy?
Date: Thu, 24 Jan 2008 15:28:55 -0500
User-agent: Thunderbird (X11/20071031)

Gary Funck wrote, On 01/24/2008 02:34 PM:
On 01/25/08 06:19:12, Arthur Barrett wrote:
Is your question "How do I store two repositories on a server with
different users able to access different repos?"

The simplest way to achieve that is with two --allow_root's and set the
filesystem level ownership and permissions on the files.

I've got a pretty good handle on how --allow-root might work, and we
presently utilize users/groups to enforce some level of access control.

I prefer something like the pserver protocol because it has
per repository access control that is separate from the system's
idea of users and groups, and it makes it possible to manage
CVS access using CVS-related files/tools only.

Which if I recall correctly folks over the years have indicated are weak at 
And you are thinking about allowing read access to the _REAL_ repository from _anonymous_ users using pserver????

At least with ssh you might be able (using ssh restrictions) to restrict them to only being able to execute cvs.

If you need to get fancier then use the cvsacls script from the contrib

I looked at that and a few other add ons.  Seemed somewhat clunky
and complex.

because CVS (including the pserver portion) was never designed as a secure application, the OS was to take care of that.

CVSNT _may_ be a bit better about the security, because they have been working on several methods for authentication.

If you need to get fancier still then use CVSNT (free/GPL just like CVS
and yes it runs on unix/linux/windows/mac) and use the 'chacl' command
with ACLmode=normal.

OK.  I haven't looked into CVSNT.  Thanks for the tip.

Also: using pserver over the internet for write access is discouraged
since the password is sent in plan text.

Understood, that's why I grativated towards a server->pserver
conversion.  The server side is accessed via the ssh and
the external network.  The pserver protocol is accessed only
on the internal network (this shares a similar philosophy with
with the ssh port forwarding to pserver solution).

CVSNT has a 'sserver' protocol which is an encrypted version
of pserver.

This sounds like it will fit the bill.  Thanks.

How well supported, and widely used is CVSNT?  It doesn't
seem to be readily available via the usual collection of
repositories as an FC8 rpm for example.

  - Gary

Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

reply via email to

[Prev in Thread] Current Thread [Next in Thread]