RE: Per-modules readers/writers ?

[Greg A. Woods]

[ On Tuesday, October 29, 2002 at 13:47:05 (-0800), Shankar Unni wrote: ]
> Subject: RE: Per-modules readers/writers ?
>
> Cost? Utility? Stability?

Good questions.  What are _your_ answers?

>  (And besides, is it your contention that
> Linux filesystem security is "real" security? All I have to do is break
> into the machine as root using one of the many unpatched
> vulnerabilities, and the whole repository is mine..)

Who said anything about Linux?  I certainly didn't.

> NT Server costs $$$. Besides, I don't like NT Server very much anyway as
> a server - a Linux server is far more versatile and solid. In fact, we
> did start off using CVSNT on an NT box, and after several dozen blue
> screens and one repository corruption, I gave up on the stupid thing.

So, which is it?  Do you want some level of security, or not?

> On the other hand, I can't very well go up to, say, the CIO and tell
> them that I want the whole company to ditch Microsoft and implement a
> whole new Grand Unified Authentication and Authorization mechanism
> across the company.  I could, if I wanted to make it my personal
> full-time evangelism and crusade, but I have to live within real-life
> constraints.

You (must) live with the circumstances you create for yourself.

> Look, I understand where you come from regarding security, and grafting
> on security mechanisms on top of each other.

Well, either you do or you don't.  You're still asking to create
something that is only an illusion while at the same time not thinking
about how you could build your illusion without changing CVS at all.

>  On the other hand, what
> most of us are looking for here are not absolute, drop-dead, guaranteed
> security, but a mere semblance of an approximation of authorization
> walls.  

Then clearly you do not need or want anything over and above what CVS
gives you today with basic unix permissions and ownerships and so on.
You already have a mere semblance of an approximation of authorization
controls -- and you can implement even more of them too in very simple
hooks in the CVSROOT/*info files, with no mods necessary to CVS itself.

> For example, pserver isn't really (or even remotely) secure either, and
> it's there for good or bad,

Indeed.  And for bad only.

> because there's such an *overwhelming*
> demand and need for it. I know you'd like to rip it out and throw it
> away, but you'll never hear the end of the screaming if you did so.

You've got that _way_ wrong.  'cvs pserver' was a horrible failed
experiment with absolutlely no thought to security or its future bad
impact on CVS.  It's a stupid hack that really isn't necessary now and
never really was.  It was only created because the better alternative
was (mistakenly) considered to be too difficult.  It's only still in CVS
because nobody bothered to take it out in time.

Even for anonymous read-only access pserver's time has come and gone
long long ago.

-- 
                                                                Greg A. Woods

+1 416 218-0098;            <address@hidden>;           <address@hidden>
Planix, Inc. <address@hidden>; VE3TCP; Secrets of the Weird <address@hidden>