[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security, audits and pserver

From: Larry Jones
Subject: Re: Security, audits and pserver
Date: Mon, 16 Dec 2002 11:13:16 -0500 (EST)

Walter, Jan writes:
> Personally I tend to believe that giving people any sort of local access
> (even in a chrooted environment for the user for instance) is more of a
> security risk than allowing pserver access over ssl/ssh, with the limited
> number of users having the key needed to connect (i.e. Auto-key negotiation
> disabled and so on). This limits the exposure of pserver to people already
> having the public key of the server (and their public key registered there).

Note that giving anyone pserver access to a machine is equivalent to
giving them local shell access -- there are fairly simple tricks that
can be used to execute arbitrary code on the server.  CVS was not
designed as a security application, it was designed as a collaboration
application for cooperative users.

-Larry Jones

Let's just sit here a moment... and savor the impending terror. -- Calvin

reply via email to

[Prev in Thread] Current Thread [Next in Thread]