In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Larry Jones) writes:
> It's a known problem. Like it says in the Cederqvist manual (under
> "Security considerations with password authentication"):
>
> ... once a user has non-read-only access to the repository, she
> can execute programs on the server system through a variety of
> means.
I believe that most of the problems can be prevented by carefully
designed chroot jail without cvs modification. I think that the
problem is serious because chroot cannot prevent it.
> Fixing this will require some serious redesign -- the simplest fix would
> be to just get rid of checkin and update programs, but I'm not sure how
> people would feel about that.
I hope that and my patch do that. If someone want the function, it
should be configurable and disabled by default.
--
Tanaka Akira