[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Derek R. Price
Subject: Re: CVS & SSL
Date: Thu, 24 May 2001 08:58:22 -0400

"Greg A. Woods" wrote:

> SSH can work that way to, obviously.

I don't _want_ to take the trouble to set up a separate SSH tunnel each time.
And I don't like allocating and tracking ports on my local machine for each CVS
server I connect to.

> setuid too?  in CVS?  grrr...

The setuid's been there forever.  pserver is intended to run as root and set its
ID to whatever user the passwd file maps the login to.  How did you think that
was working?

Anyhow, please don't get me wrong here.  I mostly agree with you and the model 
keeping as many security related issues outside of CVS as possible, but for 
and dirty, until someone comes up with something better (nserver's model?  we'll
see, I guess), pserver works.  A lot of people know it's insecure and use it
anyhow because they want some security, even if it's minimal, and probably
because it is the easiest access method to set up.  It can also be used without
the allocation of local userids, which some people prefer.

Few _sysadmins_ seem to agree about which security models are best.  Thus, it is
best that CVS remain flexible enough to provide varying levels of security
dependant on the desires of the administrator.  For now this means keeping
pserver around, I think.

Keep in mind too that some people use pserver for the user maps & logging,
probably not even really caring whether it is particularly secure itself.

Finally, note that all I did was enable the insertion of a socket provider in
place of CVS's internal tcp connection.  This enables the further removal of
security from the CVS application itself.  Your socket provider can be
authenticating using any method you wish and pserver continues to allow the
mapping to separate userids in the logs without necessitating separate user


Derek Price                      CVS Solutions Architect ( )
mailto:address@hidden         CollabNet ( )
116. (A)bort, (R)etry, (P)retend this never happened...

reply via email to

[Prev in Thread] Current Thread [Next in Thread]