Re: pserver user id's

[Julian Opificius]

foomonkey wrote:
> I believe my problem lies in that my inetd.conf specifies to run
> cvspserver under the cvsadm user account. When I have my
> $CVSROOT/CVSROOT/passwd file configured like,
> <username>:<password>:cvsadm, everything works great. With the
> exception that user A can see user B's projects and vice versa. This is
> because cvsadm owns the repository directory structure. The mode for it
> is 771.
>
> When I change the passwd file to <username>:<password>:<username>, this
> does not work. I get the previously mentioned error. My belief is that
> pserver is running as cvsadm but wants to run in the context of the
> user specified in passwd. I don't know that this is possible unless
> pserver is running as root. In a sandbox environment, I have changed
> pserver to run as root (in inetd.conf) and it works correctly.
>
> I may be missing something but that's the way things appear to me. Is
> there any danger in having pserver run as root? inetd.conf contains
> many other services running as root. I realize that ANY service running
> as root or otherwise introduces certain vulnerabilities.
>
> Thanks for any clarification anyone can provide.
> Andrew
As Larry said, [x]inetd must run cvs as root. But you don't want to have 
the repositories owned by an admin account member - it isn't necessary, 
and gives rise to the problems you're experiencing. Running cvs as root 
- as Larry says - allows it to control access to other users. To that 
end ...

Create a separate user and group "cvs", and change ownership of the 
repository to that user. Put ":cvs" after all entries in your password 
file (that are not admin users, of course).

You already have "drwxrws--x" on your repository directories, which is 
good. The project files need/should only be "440", CVS takes care of 
everything.

julian.