[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Running CVS as Non-Root User

From: eric.berg
Subject: RE: Running CVS as Non-Root User
Date: Mon, 24 Jan 2011 12:02:51 -0500

> -----Original Message-----
> From: Larry Jones [mailto:address@hidden 
> Sent: Monday, January 24, 2011 11:34 AM
> To: Berg, Eric: IT (NYK)
> Cc: address@hidden
> Subject: Re: Running CVS as Non-Root User
> address@hidden writes:
> > 
> > Is there any definitive documentation on running CVS as a  non-root user?
> CVS should never be run as root.  The only exception is pserver, which
> only runs as root long enough to authenticate the user; once the user
> has been authenticated, it switches user and runs as the user 
> instead. 
> The usual advice is to avoid pserver if at all possible; it's much
> better to use ssh for remote access (CVS was never designed to run as
> root and thus has a number of security concerns; ssh was).

Right...I was more thinking of starting it in a root-oriented way, not 
necessarily running it as root.  By that I mean that I've not found any way for 
me as a non-root user to actually run a CVS server without some kind of root 
intervention to update the inetd/xinetd config. I was hoping that I could at 
least test with something like 'cvs -d' to daemonize it, but I haven't found 
any way to do that at this point. looking around a bit, it appears that you don't actually have to set 
up a cvs "server" if you use SSH.  Is that correct?

> > Among the questions the answers to which concern us are the 
> following:
> > 
> > *  Who owns the repo disk files when running as a non-root user;
> The last user to modify the file owns it, regardless.

Great.  Got it.

> > *  When hooks are invoked by the server when running as a non-root
> > user, as which user are they invoked?
> Again, CVS only runs as root long enough to authenticate, so hooks are
> always run as the actual user.
> > *  What authentication methods are available to CVS running as a
> > non-root user?
> CVS shouldn't be used for authentication unless you have no 
> alternative (or are very trusting of your users).

Looks like SSH is the preferred way to go.  Just have to figure out how that 
will work for those of us developing on windows.

> -- 
> Larry Jones
> OK, there IS a middle ground, but it's for sissy weasels. -- Calvin

This e-mail may contain information that is confidential, privileged or 
otherwise protected from disclosure. If you are not an intended recipient of 
this e-mail, do not duplicate or redistribute it by any means. Please delete it 
and any attachments and notify the sender that you have received it in error. 
Unless specifically indicated, this e-mail is not an offer to buy or sell or a 
solicitation to buy or sell any securities, investment products or other 
financial product or service, an official confirmation of any transaction, or 
an official statement of Barclays. Any views or opinions presented are solely 
those of the author and do not necessarily represent those of Barclays. This 
e-mail is subject to terms available at the following link: By messaging with Barclays you consent to the 
foregoing.  Barclays Capital is the investment banking division of Barclays 
Bank PLC, a company registered in England (number 1026167) with its registered 
office at 1 Churchill Place, London, E14 5HP.  This email may relate to or be 
sent from other members of the Barclays Group.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]