In article <[EMAIL PROTECTED]>,
Michael Richardson <[EMAIL PROTECTED]> writes:
> Systems that give shells out to people that have write access
> are already open to running programs by clients.
>
> So, this really affects people that use :pserver: with write
> access.
The problem also affects carefully configured :ext: method using ssh.
It is well known that :pserver: with write access is dangerous because
it sends password in plain text and :ext: using ssh is recommended.
But :ext: using ssh has a problem that it provides shell access in
general. So pedantic administrator (like me) disables shell access by
a option `commands="cvs server"' in authorized_keys (and use chroot).
The problem is the real problem in this case. It provides general
access to server machine even if cvs server is running in chroot jail
and /bin/sh is not exist.
Maybe, the first problem I described is not so interesting other than
pedantic administrators.
(Second problem is more interesting for casual users, I think.)
--
Tanaka Akira
