[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: How 2 Secure the repository?
From: |
Vishal Jain |
Subject: |
RE: How 2 Secure the repository? |
Date: |
Mon, 11 Mar 2002 13:42:30 -0500 |
Hi, I had the same problem some time back. Following is the way I have my
repository working now.
OS: Unix ( actually it is NFS mounted volume, that I am sure someone
here will say DONT DO THAT :-p)
CVSAdmin : One Unix user and one Unix group (say
cvsadmin:cvsadmin for now)
Repo Permission: drwxrwx--- ( only allow cvsadmin:cvsadmin)
CVS bin : setgid "cvs" binary, setting permission as user:cvsadmin
Since repository is under cvsadmin:cvsadmin, no one can read/modify data.
Only this cvs setgid binary can extract or modify files. I allow checkout by
anyone. For committing changes I have added checkin script ( in Perl ) that
does the necessary ACL check. It checks for the username and compares it if
that user is allowed to checkin or not. Viola problem solved :-p
This is for Unix users. I am trying to work on wincvs now as well. But it
sure will take some time. I sure need input on the Unix solution from you
people, for possible hacks that users may use to do any harm. I know NFS
itself can do some harm so I have made users to wait for say 20 seconds
before the changes will be reflected in cvs properly.
Regards,
Vishal Jain
-----Original Message-----
From: Dustin Cavanaugh [mailto:address@hidden
Sent: Monday, March 11, 2002 12:27 PM
To: address@hidden
Subject: How 2 Secure the repository?
Environment: cvs 1.11.1p running on unix. Clients are mostly wincvs1.13.7+
(in-house modifications to prevent password display on the screen), plink
for ssh connection. Developers have valid login on unix server and are
members of the cvs and users groups.
How do I protect the repository from developers modifying or deleting code
directly without using cvs? Any protection scheme we've been able to think
of either locks them out completely or has loop holes.
_______________________________________________
Info-cvs mailing list
address@hidden
http://mail.gnu.org/mailman/listinfo/info-cvs