[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem with admin privileges
From: |
Mark D. Baushke |
Subject: |
Re: Problem with admin privileges |
Date: |
Mon, 27 Jun 2005 13:12:07 -0700 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Julian Opificius <address@hidden> writes:
> Larry Jones wrote:
> > Julian Opificius writes:
> >
> >>I'm not quite sure what you mean by "mapping" users.
> > Using the third field of the CVSROOT/passwd file to have the server
> > run
> > as some user other than the actual user.
> >
> Yep, that's what I am/was doing.
> >
> >> I want each user to have his own login to the system, and I want to
> >> control access to CVS repositories on a per-user basis, which is
> >> why I use pserver.
> > There's no need to use pserver for that. In fact, pserver is a giant
> > security hole that is best avoided. Since you're giving your users ssh
> > access to the server anyway, the best thing for you to do is to use
> > :ext: mode with ssh rather than rsh (which should be the default if
> > you're running CVS 1.12). Each user logs in as themselves and you can
> > then use ordinary file permissions to control who has access to
> > what. See the manual for details:
> > <https://www.cvshome.org/docs/manual/cvs-1.11.20/cvs_2.html#SEC13>
> > -Larry Jones
> >
> I have one more issue that affects my choice that I should have
> mentioned earlier. We are working in an FAA-regulated environment, and
> my CVS respository must be secure, in that nobody can impair the
> lifecycle data, and all accesses must be documented and controlled,
> i.e.e all accesses must be via the cvs server. This is why I chose
> pserver in the first place.
>
> How can I maintain this level of integrity without pserver: keeping
> the repository itself inaccessible, while allowing write access
> through cvs?
Using ssh in a restricted execution mode in general and for restricted
execution of CVS is discussed in many places.
I suggest you may find more reading useful... try these documents:
http://www.idealx.org/doc/chrooted-ssh-cvs-server.en.html
http://www.prima.eu.org/tobez/cvs-howto.html
http://www.informatimago.com/linux/chrooted-ssh-cvs.html
You may also find other documentions via your favorite search engine.
Enjoy!
-- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQFCwF2X3x41pRYZE/gRAv1sAJ0e08Qbt74VqXR4ELjguqFkoruPPwCdHKna
u9OpZ7vumWiDN1fHzzEFa/s=
=sqVv
-----END PGP SIGNATURE-----
- Problem with admin privileges, Julian Opificius, 2005/06/27
- Re: Problem with admin privileges, Larry Jones, 2005/06/27
- Re: Problem with admin privileges, Julian Opificius, 2005/06/27
- Re: Problem with admin privileges, Larry Jones, 2005/06/27
- Re: Problem with admin privileges, Julian Opificius, 2005/06/27
- Re: Problem with admin privileges, Larry Jones, 2005/06/27
- Re: Problem with admin privileges, Julian Opificius, 2005/06/27
- Re: Problem with admin privileges,
Mark D. Baushke <=
- Re: Problem with admin privileges, Todd Denniston, 2005/06/27
- Re: Problem with admin privileges, Larry Jones, 2005/06/27