[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Running CVS as Non-Root User
RE: Running CVS as Non-Root User
Mon, 24 Jan 2011 12:02:51 -0500
> -----Original Message-----
> From: Larry Jones [mailto:address@hidden
> Sent: Monday, January 24, 2011 11:34 AM
> To: Berg, Eric: IT (NYK)
> Cc: address@hidden
> Subject: Re: Running CVS as Non-Root User
> address@hidden writes:
> > Is there any definitive documentation on running CVS as a non-root user?
> CVS should never be run as root. The only exception is pserver, which
> only runs as root long enough to authenticate the user; once the user
> has been authenticated, it switches user and runs as the user
> The usual advice is to avoid pserver if at all possible; it's much
> better to use ssh for remote access (CVS was never designed to run as
> root and thus has a number of security concerns; ssh was).
Right...I was more thinking of starting it in a root-oriented way, not
necessarily running it as root. By that I mean that I've not found any way for
me as a non-root user to actually run a CVS server without some kind of root
intervention to update the inetd/xinetd config. I was hoping that I could at
least test with something like 'cvs -d' to daemonize it, but I haven't found
any way to do that at this point.
Hey...in looking around a bit, it appears that you don't actually have to set
up a cvs "server" if you use SSH. Is that correct?
> > Among the questions the answers to which concern us are the
> > * Who owns the repo disk files when running as a non-root user;
> The last user to modify the file owns it, regardless.
Great. Got it.
> > * When hooks are invoked by the server when running as a non-root
> > user, as which user are they invoked?
> Again, CVS only runs as root long enough to authenticate, so hooks are
> always run as the actual user.
> > * What authentication methods are available to CVS running as a
> > non-root user?
> CVS shouldn't be used for authentication unless you have no
> alternative (or are very trusting of your users).
Looks like SSH is the preferred way to go. Just have to figure out how that
will work for those of us developing on windows.
> Larry Jones
> OK, there IS a middle ground, but it's for sissy weasels. -- Calvin
This e-mail may contain information that is confidential, privileged or
otherwise protected from disclosure. If you are not an intended recipient of
this e-mail, do not duplicate or redistribute it by any means. Please delete it
and any attachments and notify the sender that you have received it in error.
Unless specifically indicated, this e-mail is not an offer to buy or sell or a
solicitation to buy or sell any securities, investment products or other
financial product or service, an official confirmation of any transaction, or
an official statement of Barclays. Any views or opinions presented are solely
those of the author and do not necessarily represent those of Barclays. This
e-mail is subject to terms available at the following link:
www.barcap.com/emaildisclaimer. By messaging with Barclays you consent to the
foregoing. Barclays Capital is the investment banking division of Barclays
Bank PLC, a company registered in England (number 1026167) with its registered
office at 1 Churchill Place, London, E14 5HP. This email may relate to or be
sent from other members of the Barclays Group.