[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security options :-(

From: Todd Denniston
Subject: Re: Security options :-(
Date: Tue, 17 Dec 2002 10:28:50 -0500

Phil R Lawrence wrote:
> Satya Prasad DV wrote:
> >
> > At 02:32 PM12/17/2002, Mike Ayers wrote:
> >
>  >> Here's a bit of a challenge for the list.  We need to set up
>  >> a CVS repository on a Linux server such that the users can't
>  >> modify the files, except through proper CVS operations.  The
>  >> catch?  They are currently permitted to log into the server.
> >
> > The cvs user id and group id need to be different from all
>  > other login users. And set permissions for repository such
>  > that the cvs user and group only are given write
>  > permissions. This should suffice
> And then what?  Use pserver to map the existing user ids to the cvs id?
> I have been trying to figure out a secure way to set this thing up, but
> each way seems to have big drawbacks.
> Method 1
>    description:
>    - users SSH into existing accounts.
>    - repository has group permissions that allow users to
>      check in and out, etc.
>    drawback:
>    - users can modify the history files, because they are
>      located in the same dir as source files.  Audit function
>      is thus compromised.

If I have understood Greg correctly this drawback can be nullified, by telling
SSH to only let you execute one command 'cvs'.  man sshd, search for

And combine that with filesystem permissions (and ACLs?) on each of the
modules/directories/CVSROOTs to get finer granularity of your access control.

I'd crawl over an acre of 'Visual This++' and 'Integrated Development
That' to get to gcc, Emacs, and gdb.  Thank you.
        -- Vance Petree, Virginia Power

reply via email to

[Prev in Thread] Current Thread [Next in Thread]