[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS security question

From: Mark D. Baushke
Subject: Re: CVS security question
Date: Tue, 03 Feb 2004 15:37:50 -0800

Hash: SHA1

Pankaj Garg <address@hidden> writes:

> I wonder why do we not CVS has a server which run with SUID (Super
> User ID) and only it can access repository. Other users can login via
> SSH, verify their credentials with our CVS Server and ask CVS Server
> to carry out their requests. They can request normal repository
> operations based on their privilege. This new CVS server will give
> much better control because we can set minute details of permissions
> on repository and files inside it. In fact we can have just One
> repository in all and host multiple projects under it and give control
> of these projects to different group of people.
> Whats stopping people from implementing this?

You should be able to implement it if it will meet your needs.

Something like the second-to-last paragraphs of this message:
is posible.

I know of a site that runs cvs as a set-gid 'cvs' program wherein all of
the files and directories are in group 'cvs' as an aid to avoid
accidental deletion. A set of periodic jobs gets run as root to chown
the files all to user cvs. No real users are in group cvs and the cvs
user does not have a real password. No file in the repository has world
read or write permissions.

Additional protection may be found by making the parent directory for
the repository is only visible to members of the 'software' group for
the software repository. So, this means that only members of the
'software' group would be able to run the set-gid cvs executable to
do any cvs operations at all.

        -- Mark
Version: GnuPG v1.2.3 (FreeBSD)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]