[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs on unix simple security issue
From: |
Todd Denniston |
Subject: |
Re: cvs on unix simple security issue |
Date: |
Tue, 07 Mar 2006 15:28:14 -0500 |
User-agent: |
Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929) |
address@hidden wrote:
Hello. self proclaimed CVS noob here
we have this repository root located under /aps/cvs/CVSROOT and we
maintain software under directories like this
/aps/fire/cobol
/aps/fire/jcl
/aps/fire/sql
I've discovered that unix users on the can remove cvs versioning
formation by simply doing an rm under /aps/cvs/aps/fire/jcl .. where
files like mysource,v exist.
However if I attempt to secure those directories, unix users can't
deploy to the repository.
Is there any way to secure the directories with the ",v" files while
allowing unix users (developers) to deploy? Don't they need write to
those directories?
Thanks for any help or information.
0) get a good backup system implemented.
1) Have some one Write down the policy and get management approval for it,
a) to remove software from a checkout do a
`cvs rm file`; `cvs commit`
b) anyone who, is not authorized, does a Unix rm|mv inside
of the cvs repository will be disciplined appropriately.
c) discipline sessions will continue until
company property stops disappearing from the
cvs repository.
2) Inform the developers of the policy.
3) have management implement the policy.
4) change from the current method of accessing the cvs server to ssh and limit
the commands the user execute from the ssh session to CVS (search the web,
others have done this and documented the procedure). Now you have
authenticated and tracked logins that can be audited.
5) make sure the only way someone can log into the cvs server is with ssh.
pserver is most likely NOT your friend if you already have developers being
destructive in the repository.
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter