|From:||M . E . O'Neill|
|Subject:||Re: Patch: Add support for CVS_USER environment variable|
|Date:||Wed, 25 Feb 2004 21:50:56 -0800|
In some situations, cvs is run as a user different from the username that should be used for checkins. The enclosed patch adds support for setting the username used for checkins using an environment variable, CVS_USER (much rcs used to pay attention to LOGNAME).
and Larry Jones replied:
That is a horrible idea -- it lets anyone pretend to be anyone else with no authentication whatsoever. It completely defeats any hope of accountability.
Nonsense. Local users doing local commits have always had direct access to the files in the repository. They can compile their own cvs that lies (or that has my patch), or just get in there with their favorite editor and make changes (editing the repository to change history is fun for the whole family). There is no "security" or authentication for ordinary local cvs access.
In the simple all-local case, if your users can't be trusted not to behave, you've got bigger problems than my patch.
In the remote case (cvs over ssh), the cvs server doesn't much care what the cvs client thinks the user is. In fact, the whole reason I wrote this patch was for the remote end in a scenario when multiple clients would connect to a server using a single username, and so the checkins would all be checked in under the same name (the username the cvs-over-ssh server ran as).
M.E.O.P.S. In my case, the specific application is actually a system where CVS_RSH is not ssh at all, but a cunning setuid script that handles authentication and then sets CVS_USER and runs the server. I wouldn't mind if CVS_USER only applied to cvs server incantations, but such a restriction wouldn't add any additional security.
|[Prev in Thread]||Current Thread||[Next in Thread]|