[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
secure cvs setup (yet again)
secure cvs setup (yet again)
Wed, 28 May 2003 15:33:55 -0700
I've been having a horrible time accessing this list - this is try #4.
Forgive it if it is a dup;I'd also like some help from the cvs group
owner to figure out what the #$$% is going on. I shouldn't have to
post from 4 different mailing addresses to get one post; posting
from google looks screwed up too.
Elsewise, help on the following is appreciated.
My other email address (address@hidden) has been having difficulty in
reaching this list, so I thought I might try it from here.
Anyways, I'm getting lost in a quagmire (bog? murky swamp?) of options for
running a secure CVS server on a box where I have limited access. For
security's sake, I may get a root process to run in the background but
I'll have to share that root process with others. In short, this is what I
want to do:
1) be able to run a cvs server securely.
2) set it up so this cvs server uses CVSROOT/??? makes all files inside
CVS be owned by the same user and in the same group.
3) use CVSROOT/passwd to control who accesses the server, checks in and out
(hence eliminating the need for having one unix user per cvs user).
4) use a configuration file to limit what people receive via 'cvs
Now, #1 I think I have sorted out, but its still a mess of options:
cvsauth vs cvsd, vs something called sserver vs whatever... Anyways, I
think I'm going to go with ssh tunnelling.. and setting up cvs pserver
so the only traffic that can hit the pserver comes from the localhost (ssh
As for #2, how do you do this? Since I'm sharing the box with other
people, I'd like them to have the ability to run *their* cvs repositories,
using the same method that *I'm* doing, all going through one server.
Hence, I'd like pserver to have the ability to use CVSROOT to figure out
what user to use (perhaps picking the user/group combo up from the
directory where CVSROOT is located?) in checking in files.. Is this
possible? If not, what's a workaround? And what are the risks in running
cvs pserver as root? Have their been exploits in pserver to get a root
shell or run root code? And if so, are there ways of running xinetd for
user processes as well as root?
As for #3, I know using CVSROOT/passwd for authentication is doable, but
is it somehow possible to fineagle CVS so that the file is put inside
source control and then edited to get entry? I don't see how this could
be, but the author of cvsauth seems to think it could happen.. Any one
have any ideas?
And finally, using a configuration file to figure out who-gets-what is
totally murky to me. How do you do it? My design would be to have a single
file, with a list of files and directories that pserver would pick up per
user, something like:
which says, cvsuser1 gets dir1, file1, and everything in dir2 minus file2.
which says cvsuser1 gets everything minus dir1 and dir2.
Somehow I don't think that cvs is this easy though.
Anyways, any help on this is appreciated. I know this is a long post, but
I think a small doc on setting up a standard, secure, multi-user cvs would
be most appreciated. Lord knows I've looked for one - I've found bits and
pieces, but never the whole picture..
|[Prev in Thread]
||[Next in Thread]|
- secure cvs setup (yet again),
Peschko, Edward <=