|
From: | Derek R. Price |
Subject: | Re: Patch: Add support for CVS_USER environment variable |
Date: | Thu, 26 Feb 2004 01:25:38 -0500 |
User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax) |
M.E.O'Neill wrote:
P.S. In my case, the specific application is actually a system where CVS_RSH is not ssh at all, but a cunning setuid script that handles authentication and then sets CVS_USER and runs the server. I wouldn't mind if CVS_USER only applied to cvs server incantations, but such a restriction wouldn't add any additional security.
If your script is so cunning, why can't it setuid to the username in question after authentication?
I am afraid that you may be right, however. I can't think of a good way to exploit your suggestion if it only works with `cvs server'. Of course, your patch doesn't implement this and would need documentation and test cases to be accepted. Please see the HACKING file in the top level of the CVS source distribution for more.
Derek
[Prev in Thread] | Current Thread | [Next in Thread] |