info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Per-modules readers/writers ?


From: david
Subject: Re: Per-modules readers/writers ?
Date: Fri, 25 Oct 2002 19:25:43 -0500 (CDT)

> 
> > > Nick Patavalis wrote:
> > >
> It's probably not any better, more like an alternate feature that would be
> handy in certain environments.  Personally, I'd rather the repository be
> owned and operated by just one user, and allow the repository administrator
> to be able to grant and revoke permissions and add new projects and project
> groups without having to add any users/groups to the system.
> 
I suppose it comes down to how you identify actual users, since
the system has to know somehow about who is trying to access a module
in order to allow or deny that access.  The classic Unix method is to
assign each actual user an account on the machine, and this authentication
method has been worked on extensively, both to try to improve it and
to try and stop people spoofing it.  It's about as secure a means as
you can get, at least when you use known secure techniques.

Any other method of authentication is going to be easier to fool.
CVS's pserver is a case in point:  it isn't secure, and if you want
strict authentication you should use :ext: with ssh or some such
thing.  Not only has there been less work done on securing it, but
there never will be anywhere near as much work.

If security is an issue, you want to enforce authentication, since
no security is perfect and you need to have some sort of audit
facility.  Therefore, you want as reliable a method of authentication
as possible, and I don't know of anything better than Unix user
accounts.  There's security there, if people use it.

-- 
Now building a CVS reference site at http://www.thornleyware.com
address@hidden





reply via email to

[Prev in Thread] Current Thread [Next in Thread]