Re: differenting cvs users privileges

[Imre Oolberg]

Hi again!

I did some more investigation and found out that some security-conscious
people run pserver as unprivileged UNIX system user.

As simply as putting into /etc/inetd.conf something like

cvspserver stream tcp nowait cvs /usr/bin/cvs cvs -f \
--allow-root=/home/cvs/proj1-repository \
--allow-root=/home/cvs/proj2-repository \
... \
pserver

So all files will be strictly owned by this UNIX user cvs. The home
directory of this user is obvious a place to put under all the
repositories. Repository corresponds in this setup to a project. And
/home/cvs could be given 700 rights. So no-one can  enter from inside the
UNIX machine but UNIX cvs-users.

With each repositories CVSROOT/passwd file could be controlled what
CVS users could access their specific repository. Like

imre:56dgaE3xe0A8c:cvs
heno:56dgaE3xe0A8c:cvs

And no messing around with file and directory permissions inside the CVS
repository and other surgerie!

And it seems it works indeed!

Please comment on running cvs pserver this way, i am sure i missed here
something which may turn out like security flaw ...

And last but not least, will pserver be running in further cvs versions
also like undocumented in the http://cvshome.org/dev/patches/nonroot?


Best Regards, Imre

PS

I think i can tolerate assumtion that inside a project ie repository
CVS users of that repository should trust one-another. And there could be
used cvsauth mechanics.

PPS One last thing, please tell me how to use exactly external file
instead putting the --allow-root=/repository into /etc/inetd.conf

I tried like this, but it didne work for me :(

/etc/inetd.conf:
<service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
cvspserver     stream      tcp      nowait  root  /etc/repos   pserver


/etc/repos:

#!/bin/sh exec /usr/bin/cvs cvs --allow-root=/home/cvs/repos $1