[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: How 2 Secure the repository?

From: Vishal Jain
Subject: RE: How 2 Secure the repository?
Date: Mon, 11 Mar 2002 13:42:30 -0500

Hi, I had the same problem some time back. Following is the way I have my
repository working now.

OS:     Unix ( actually it is NFS mounted volume, that I am sure someone
here will say DONT DO THAT :-p)
CVSAdmin        :       One Unix user and one Unix group (say
cvsadmin:cvsadmin for now)
Repo Permission:        drwxrwx--- ( only allow cvsadmin:cvsadmin)
CVS bin :       setgid "cvs" binary, setting permission as user:cvsadmin

Since repository is under cvsadmin:cvsadmin, no one can read/modify data.
Only this cvs setgid binary can extract or modify files. I allow checkout by
anyone. For committing changes I have added checkin script ( in Perl ) that
does the necessary ACL check. It checks for the username and compares it if
that user is allowed to checkin or not. Viola problem solved :-p

This is for Unix users. I am trying to work on wincvs now as well. But it
sure will take some time. I sure need input on the Unix solution from you
people, for possible hacks that users may use to do any harm. I know NFS
itself can do some harm so I have made users to wait for say 20 seconds
before the changes will be reflected in cvs properly.

Vishal Jain

-----Original Message-----
From: Dustin Cavanaugh [mailto:address@hidden
Sent: Monday, March 11, 2002 12:27 PM
To: address@hidden
Subject: How 2 Secure the repository?

Environment: cvs 1.11.1p running on unix. Clients are mostly wincvs1.13.7+ 
(in-house modifications to prevent password display on the screen), plink 
for ssh connection. Developers have valid login on unix server and are 
members of the cvs and users groups.

How do I protect the repository from developers modifying or deleting code 
directly without using cvs? Any protection scheme we've been able to think 
of either locks them out completely or has loop holes.

Info-cvs mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]