Re: server->pserver proxy?

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: server->pserver proxy?

From:	Todd Denniston
Subject:	Re: server->pserver proxy?
Date:	Thu, 24 Jan 2008 15:28:55 -0500
User-agent:	Thunderbird 2.0.0.9 (X11/20071031)

Gary Funck wrote, On 01/24/2008 02:34 PM:

On 01/25/08 06:19:12, Arthur Barrett wrote:

Is your question "How do I store two repositories on a server with
different users able to access different repos?"

The simplest way to achieve that is with two --allow_root's and set the
filesystem level ownership and permissions on the files.


I've got a pretty good handle on how --allow-root might work, and we
presently utilize users/groups to enforce some level of access control.

I prefer something like the pserver protocol because it has
per repository access control that is separate from the system's
idea of users and groups, and it makes it possible to manage
CVS access using CVS-related files/tools only.


Which if I recall correctly folks over the years have indicated are weak at 
best.

And you are thinking about allowing read access to the _REAL_ repository from_anonymous_ users using pserver????

At least with ssh you might be able (using ssh restrictions) to restrict themto only being able to execute cvs.

http://lists.gnu.org/archive/html/info-cvs/2004-05/msg00158.html
http://lists.gnu.org/archive/html/info-cvs/2005-08/msg00204.html

If you need to get fancier then use the cvsacls script from the contrib
directory.


I looked at that and a few other add ons.  Seemed somewhat clunky
and complex.

because CVS (including the pserver portion) was never designed as a secureapplication, the OS was to take care of that.

http://lists.gnu.org/archive/html/info-cvs/2004-01/msg00252.html

CVSNT _may_ be a bit better about the security, because they have been workingon several methods for authentication.

If you need to get fancier still then use CVSNT (free/GPL just like CVS
and yes it runs on unix/linux/windows/mac) and use the 'chacl' command
with ACLmode=normal.


OK.  I haven't looked into CVSNT.  Thanks for the tip.

Also: using pserver over the internet for write access is discouraged
since the password is sent in plan text.


Understood, that's why I grativated towards a server->pserver
conversion.  The server side is accessed via the ssh and
the external network.  The pserver protocol is accessed only
on the internal network (this shares a similar philosophy with
with the ssh port forwarding to pserver solution).

CVSNT has a 'sserver' protocol which is an encrypted version
of pserver.


This sounds like it will fit the bill.  Thanks.

How well supported, and widely used is CVSNT?  It doesn't
seem to be readily available via the usual collection of
repositories as an FC8 rpm for example.

  - Gary



--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

[Prev in Thread]

Current Thread

[Next in Thread]

RE: server->pserver proxy?, Arthur Barrett, 2008/01/24
- Re: server->pserver proxy?, Gary Funck, 2008/01/24
  - Re: server->pserver proxy?, Todd Denniston <=
    - Re: server->pserver proxy?, Gary Funck, 2008/01/24
    - Re: server->pserver proxy?, Gary Funck, 2008/01/24
- Re: server->pserver proxy?, Gary Funck, 2008/01/24
- RE: server->pserver proxy?, Arthur Barrett, 2008/01/24
- RE: server->pserver proxy?, Arthur Barrett, 2008/01/24
- Re: RE: server->pserver proxy?, Arthur Barrett, 2008/01/24

Prev by Date: RE: server->pserver proxy?
Next by Date: Re: CVS future!
Previous by thread: Re: server->pserver proxy?
Next by thread: Re: server->pserver proxy?
Index(es):
- Date
- Thread