[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: FAQ-O-Matic pserver protocol
|
From: |
Guus Leeuw jr. |
|
Subject: |
RE: FAQ-O-Matic pserver protocol |
|
Date: |
Sun, 13 Feb 2005 09:50:43 +0100 |
> -----Original Message-----
> From: address@hidden [mailto:address@hidden On Behalf Of Mark D.
> Baushke
> Sent: dimanche 13 février 2005 09:39
> To: Guus Leeuw jr.
> Cc: address@hidden
> Subject: Re: FAQ-O-Matic pserver protocol
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Guus Leeuw jr. <address@hidden> writes:
>
> > Hence I am looking at the pserver protocol, so I figured, it is a FAQ.
> > Now depending how you interpret FAQ (asked or answered), I was right ;)
> >
> > It's apparently asked often, but
> > https://ccvs.cvshome.org/fom//cache/446.html gives no answer :(
>
> Search the info-cvs archives and you might have more luck. The short
> answer is don't use it. Move along, this is not the protocol you are
> looking for...
The "hence" above was indicating that I am writing a passwd command for the
pserver stuff, as Jim suggested would be a nice feature...
On dev, so far, no hard statement against doing this...
If you think, I shouldn't be doing this, please state so, and I'll back out
doing more important stuff...
> > Can anybody tell me where the doc is? Can't seem to find it in the
> > cvs1-12-11 branch...
>
> For HTML Cederqvist manual for cvs 1.12.11, look here:
> https://www.cvshome.org/docs/manual/cvs-1.12.11/cvs.html
>
> For the client/server protocol, look here:
> https://ccvs.cvshome.org/source/browse/ccvs/doc/cvsclient.texi
>
> You should be able to find a doc/cvsclient.info file and a
> doc/cvsclient.ps -- these forms of the document describe both the
> pserver framework and protocol (as well as the kserver and server
> protocols). If you plan to read the document closely and you actually
> care about security, issue ear-plugs to your neighbors so that your
> screams will not distrub them too much.
OK, thanks ;)
> In general, my personal opinion is that the pserver and kserver
> protocols should be removed from the cvs sources completely. It is never
> secure to run the cvs executable as root which is required to use the
> pserver protocol. The cvs sources were never designed with security in
> mind and running them as root is idiocy. (Just say no.)
You're kidding right? Root is a good user(TM), no?
> If you are using pserver, I hope it is on an isolated LAN with lots of
> firewalls and does not control any sources you really need to be kept
> secure. I also hope that you are making plans to transition away from
> pserver usage as fast as possible.
I use it since a couple of years on a LAN that has merely an ADSL router
listening, and a linux based firewall blocking... in between the LAN and the
server is still an SMC Barricade allowing nothing from the outside to create
a network session... Guess this is triple secure... I get a lot of probes,
but they don't make it through the server... So that should be cool...
> Summary: Friends don't let friends deploy cvs pserver configurations...
Sure enough... What about the people that do use pserver, and want their
users to change their passwords from CVSROOT/passwd? No change today... Not
securely, that is. So we might consider implementing it, no? Simply sending
a scrambled password over the *LAN* can't hurt too much... For WAN, pserver
is quite different ;)
Anyways... Development stopped until verdict is received ;)
Guus
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 10/02/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 10/02/2005