Julian Opificius
Thu, 07 Jul 2005 09:49:55 -0700
foomonkey wrote:
As Larry said, [x]inetd must run cvs as root. But you don't want to have the repositories owned by an admin account member - it isn't necessary, and gives rise to the problems you're experiencing. Running cvs as root - as Larry says - allows it to control access to other users. To that end ...I believe my problem lies in that my inetd.conf specifies to run cvspserver under the cvsadm user account. When I have my $CVSROOT/CVSROOT/passwd file configured like, <username>:<password>:cvsadm, everything works great. With the exception that user A can see user B's projects and vice versa. This is because cvsadm owns the repository directory structure. The mode for it is 771. When I change the passwd file to <username>:<password>:<username>, this does not work. I get the previously mentioned error. My belief is that pserver is running as cvsadm but wants to run in the context of the user specified in passwd. I don't know that this is possible unless pserver is running as root. In a sandbox environment, I have changed pserver to run as root (in inetd.conf) and it works correctly. I may be missing something but that's the way things appear to me. Is there any danger in having pserver run as root? inetd.conf contains many other services running as root. I realize that ANY service running as root or otherwise introduces certain vulnerabilities. Thanks for any clarification anyone can provide. Andrew
Create a separate user and group "cvs", and change ownership of the repository to that user. Put ":cvs" after all entries in your password file (that are not admin users, of course).
You already have "drwxrws--x" on your repository directories, which is good. The project files need/should only be "440", CVS takes care of everything.
julian. _______________________________________________ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs