RE: Running CVS as Non-Root User

[eric.berg]

Arthur,

I believe we'll be running with the latest cvs (1.11.23) on RHEL 5.5 (or so) 
(Kernel ~2.6.18)

We would like to authenticate via pserver and against the underlying system 
authentication system or maybe an AD service.

Running as root is fine with me.  Negotiating the beaurocracy here to get 
someone else involved -- especially with something that includes root 
acces...hooo!  (PITA)  I believe that we may be able to convince our Sas to set 
up up to run from (x)inetd, but probably not as root.  :(

Essentially, our organization has retired all CVS services, but we're so 
heavily invested, both in terms of systems that rely on it as well as for all 
of our code validations and deployments based on CVS hook files, that we need 
to take over running it on our own.  The move to SVN is just too much of an 
investment at this point as we're far too tighly coupled to CVS.

Eric

 

> -----Original Message-----
> From: Arthur Barrett [mailto:address@hidden 
> Sent: Friday, January 21, 2011 3:51 PM
> To: Berg, Eric: IT (NYK); address@hidden
> Subject: RE: Running CVS as Non-Root User
> 
> Eric,
> 
> What version of CVS?  What operating system?  You've asked what
> authentication schemes are possible as non-root, but let me 
> ask you: do
> you require a particular authentication (PAM, SystemAuth etc) or
> protocol (ssh, pserver etc)?
> 
> I know with CVSNT (yes it runs on linux/unix) that you can 
> use a chroot
> jail if you are worried about the effects of running the process as
> root.  The server process quickly drops privileges to the 
> rights of the
> client user (or runas user, or alias user) once the authentication is
> complete.  Since the server drops privileges as soon as authentication
> is complete then the ownership of the RCS files is unrelated to the
> server process running as root.
> 
> If you are happy to run CVS/CVSNT on unix/linux and require SSH access
> only then the server doesn't ever run as root (since sshd is 
> running as root).  
> 
> This highlights my primary concern about your question - you 
> are perhaps
> implying that it is BAD to run cvs server as root - but you 
> are probably
> more than happy to run sshd as root - they are both free/open source
> software, they are both running on the same server - I think 
> you should
> trust CVS/CVSNT to do its job and concentrate on security and access
> control, including the use of a chroot jail, ownership and access
> control of the RCS repository, ownership and access control within
> branches (cvs chacl etc).  
> 
> I run a one day course on CM Design and CVSNT Administration for
> customers ;)
> 
> Regards,
> 
> 
> 
> Arthur Barrett
> Product Manager
> CVS Suite and CVSNT
> March Hare Software
> 
> 
> > -----Original Message-----
> > From: 
> > address@hidden 
> > [mailto:address@hidden
> > org] On Behalf Of address@hidden
> > Sent: Friday, 21 January 2011 7:26 AM
> > To: address@hidden
> > Subject: Running CVS as Non-Root User
> > 
> > 
> > Is there any definitive documentation on running CVS as a 
> > non-root user?
> > 
> > Among the questions the answers to which concern us are the 
> following:
> > 
> > *  Who owns the repo disk files when running as a non-root user;
> > *  When hooks are invoked by the server when running as a 
> > non-root user, as which user are they invoked?
> > *  What authentication methods are available to CVS running 
> > as a non-root user?
> > 
> > Thanks for any feedback you can provide in the way of links or info.
> > 
> > Eric
> > 
> > _______________________________________________
> > 
> > This e-mail may contain information that is confidential, 
> > privileged or otherwise protected from disclosure. If you are 
> > not an intended recipient of this e-mail, do not duplicate or 
> > redistribute it by any means. Please delete it and any 
> > attachments and notify the sender that you have received it 
> > in error. Unless specifically indicated, this e-mail is not 
> > an offer to buy or sell or a solicitation to buy or sell any 
> > securities, investment products or other financial product or 
> > service, an official confirmation of any transaction, or an 
> > official statement of Barclays. Any views or opinions 
> > presented are solely those of the author and do not 
> > necessarily represent those of Barclays. This e-mail is 
> > subject to terms available at the following link: 
> > www.barcap.com/emaildisclaimer. By messaging with Barclays 
> > you consent to the foregoing.  Barclays Capital is the 
> > investment banking division of Barclays Bank PLC, a company 
> > registered in England (number 1026167) with its registered 
> > office at 1 Churchill Place, London, E14 5HP.  This email may 
> > relate to or be sent from other members of the Barclays Group.
> > _______________________________________________
> > 
> > 
>