[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security, audits and pserver

From: Douglas Finkle
Subject: RE: Security, audits and pserver
Date: Fri, 13 Dec 2002 11:26:13 -0500

> > A chroot environment is only good at containing
> > what's inside it.  It
> > does not prevent access to the chroot environment
> > from outside.
> I see.  I guess it's obvious that the repository would
> have to be within the chroot'ed environment meaning
> that such an environment wouldn't help in preventing
> users from directly accessing the archive files.  Is
> this right?

Yes, this you are correct... chrooting a file system would
have no impact on the user's ability to access the repository.
The best method for keeping folks out is to use public key 
ssh auth, constrain user's key to exactly one command required
for cvs, and to disable passwd authentication-- both on the
ssh and os level.

>From this point you can use unix file and group security to
further control what can be written/read. I've not set up
cvs readers/writers, but that may add an additional layer.
Finally, you can implement a commit hook to further filter by
module and or branch.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]