RE: Running CVS as Non-Root User

[Arthur Barrett]

Eric,

What version of CVS?  What operating system?  You've asked what
authentication schemes are possible as non-root, but let me ask you: do
you require a particular authentication (PAM, SystemAuth etc) or
protocol (ssh, pserver etc)?

I know with CVSNT (yes it runs on linux/unix) that you can use a chroot
jail if you are worried about the effects of running the process as
root.  The server process quickly drops privileges to the rights of the
client user (or runas user, or alias user) once the authentication is
complete.  Since the server drops privileges as soon as authentication
is complete then the ownership of the RCS files is unrelated to the
server process running as root.

If you are happy to run CVS/CVSNT on unix/linux and require SSH access
only then the server doesn't ever run as root (since sshd is running as
root).  

This highlights my primary concern about your question - you are perhaps
implying that it is BAD to run cvs server as root - but you are probably
more than happy to run sshd as root - they are both free/open source
software, they are both running on the same server - I think you should
trust CVS/CVSNT to do its job and concentrate on security and access
control, including the use of a chroot jail, ownership and access
control of the RCS repository, ownership and access control within
branches (cvs chacl etc).  

I run a one day course on CM Design and CVSNT Administration for
customers ;)

Regards,



Arthur Barrett
Product Manager
CVS Suite and CVSNT
March Hare Software


> -----Original Message-----
> From: 
> address@hidden 
> [mailto:address@hidden
> org] On Behalf Of address@hidden
> Sent: Friday, 21 January 2011 7:26 AM
> To: address@hidden
> Subject: Running CVS as Non-Root User
> 
> 
> Is there any definitive documentation on running CVS as a 
> non-root user?
> 
> Among the questions the answers to which concern us are the following:
> 
> *  Who owns the repo disk files when running as a non-root user;
> *  When hooks are invoked by the server when running as a 
> non-root user, as which user are they invoked?
> *  What authentication methods are available to CVS running 
> as a non-root user?
> 
> Thanks for any feedback you can provide in the way of links or info.
> 
> Eric
> 
> _______________________________________________
> 
> This e-mail may contain information that is confidential, 
> privileged or otherwise protected from disclosure. If you are 
> not an intended recipient of this e-mail, do not duplicate or 
> redistribute it by any means. Please delete it and any 
> attachments and notify the sender that you have received it 
> in error. Unless specifically indicated, this e-mail is not 
> an offer to buy or sell or a solicitation to buy or sell any 
> securities, investment products or other financial product or 
> service, an official confirmation of any transaction, or an 
> official statement of Barclays. Any views or opinions 
> presented are solely those of the author and do not 
> necessarily represent those of Barclays. This e-mail is 
> subject to terms available at the following link: 
> www.barcap.com/emaildisclaimer. By messaging with Barclays 
> you consent to the foregoing.  Barclays Capital is the 
> investment banking division of Barclays Bank PLC, a company 
> registered in England (number 1026167) with its registered 
> office at 1 Churchill Place, London, E14 5HP.  This email may 
> relate to or be sent from other members of the Barclays Group.
> _______________________________________________
> 
>