info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ANN: cvssh - secure ext-to-pserver bridge


From: Michal Wallace
Subject: Re: ANN: cvssh - secure ext-to-pserver bridge
Date: Thu, 24 Jan 2002 20:40:53 -0500 (EST)

On Thu, 24 Jan 2002, Greg A. Woods wrote:

> > When someone uses shared accounts, they throw away Unix
> > security.  Maybe that's your point, but on the other hand
> > Unix security is not needed in many carefully controlled
> > situations.
>
> No, they throw away any and all possibility of
> accountability, especially with CVS.  Period.


Hi Greg,

You obviously have very strong feelings about this...  Can
you help me understand specifically what risks are involved?

These are the precautions I'm taking:

 - The CVSROOT directory is read-only, so customers can't add
   their own users without going through me, nor can they
   set up wrappers.

 - CVS runs as the user(s) specified in the CVSROOT/passwd
   file. Each repository gets its own user, that does not
   have access to any other repository.

 - The cient-server traffic is protected with SSL.

 - I am in the process of setting up a chrooted jail
   (or jails) on the server, to keep CVS from accessing
   any other directories.


What am I missing? What other sorts of security issues do
you see?

Thanks,

- Michal   http://www.sabren.net/   address@hidden
------------------------------------------------------------
Give your ideas the perfect home: http://www.cornerhost.com/
 cvs - weblogs - php - linux shell - perl/python/cgi - java
------------------------------------------------------------





reply via email to

[Prev in Thread] Current Thread [Next in Thread]