[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ssh authentication; readers/writers/passwd

From: Noel Yap
Subject: Re: ssh authentication; readers/writers/passwd
Date: Tue, 9 Jul 2002 13:52:22 -0700 (PDT)

--- Brandon Craig Rhodes <address@hidden>
> Chris Palmer <address@hidden> writes:
> > Under [the pserver] model, is all access
> controlled solely via the
> > unix system permissions, or can I also control
> things with the
> > CVSHOME/readers, writers, passwd files?  I am
> hoping that these are
> > still used by CVS even if I'm not using the
> pserver authentication
> > system.
> Coming in through ssh normally dodges the CVS access
> control files.
> Imagine how annoying this would become if your site
> wanted to offer
> both ssh and pserver password access - you would
> have to duplicate the
> same set of permissions in your Unix filesystem
> hierarchy and in the
> `readers' and `writers' files!
> If you are comfortable patching your CVS server,
> this is easy to
> change.  The `readers' and `writers' files are
> consulted by the
> server.c:check_command_legal_p(...) function
> whenever the variable
> `CVS_Username' is set - which normally occurs only
> when using pserver,
> when it finds an alias in the `passwd' file.  But
> you can simply
> rewrite the function to use the user's login name
> instead if it finds
> that `CVS_Username' is unset - this way, when he
> comes in through ssh,
> he will still be searched for in `readers' and
> `writers'.
> If you are willing to run such a modified server,
> but cannot write
> this patch on your own, let me know and I will write
> and post a patch
> to do it this evening.

In the end, the OS still controls permissions to the
repository.  IOW, if file system permissions haven't
been set for the user, no matter what CVS says, the
user will not be able to access the repository.

If, OTOH, one decides to turn on permissions for
everyone, then, yes, CVS can control permissioning to
the repository *assuming everyone comes in through

So, in order to use this patch, one'll have to leave a
big, gaping hole in the security of the repository.


Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free

reply via email to

[Prev in Thread] Current Thread [Next in Thread]