Hi,
I recently (err, mid last year) setup a remote CVS server, running as a non-root
user, and using GSSAPI authentication (Kerberos V). I found that when changes
were committed, the server always attributed them to the user it was running as,
rather than the GSSAPI authenticated user.
I fixed this problem, and append the patch below. Sorry I didn't send it in
sooner.
Tim
cut here
--- ----
*** cvs-1.10/src/server.c Fri Aug 7 10:46:38 1998
--- cvs-1.10.patched/src/server.c Sat Jul 10 17:46:50 1999
***************
*** 4649,4654 ****
--- 4649,4666 ----
exit (EXIT_FAILURE);
}
+ /* [EMAIL PROTECTED] : the comment below seems to assume that the server
+ should always be run as root. I do not agree: I am running the server as
+ an unprivileged user in a chroot tree, because the info (2.9.3.3 Security
+ considerations with password authentication) says "there may be other
+ ways in which having access to CVS allows people to gain more general
+ access to the system; no one has done a careful audit". Besides that,
+ only the paranoid survive. The assumption that the server always runs as
+ root leads to bugs. In particular, the "system usernames" below are
+ currently irrelevant when using gssapi authentication. The call to setuid
+ should probably only be made if running as root. It is a bad idea to
+ require a server to run as root if not absolutely necessary */
+
/* FIXME? We don't check for errors from initgroups, setuid, &c.
I think this mainly would come up if someone is trying to run
the server as a non-root user. I think we should be checking for
***************
*** 4657,4663 ****
should continue to work right if all of the "system usernames"
in CVSROOT/passwd match the user which the server is being run
as (in inetd.conf), but fail otherwise. */
!
#if HAVE_INITGROUPS
initgroups (pw->pw_name, pw->pw_gid);
#endif /* HAVE_INITGROUPS */
--- 4669,4675 ----
should continue to work right if all of the "system usernames"
in CVSROOT/passwd match the user which the server is being run
as (in inetd.conf), but fail otherwise. */
!
#if HAVE_INITGROUPS
initgroups (pw->pw_name, pw->pw_gid);
#endif /* HAVE_INITGROUPS */
***************
*** 5319,5324 ****
--- 5331,5342 ----
}
switch_to_user (buf);
+
+ /* [EMAIL PROTECTED]: Set CVS_Username here (in allocated space) to the value
+obtained
+ from GSSAPI authentication. A (good) side-effect is that the gserver now pays
+attention
+ to the readers and writers files in CVSROOT */
+ CVS_Username = xmalloc (strlen (buf) + 1);
+ strcpy (CVS_Username, buf);
printf ("I LOVE YOU\n");
fflush (stdout);
