Derek Price wrote:

> I see your point.  What about `cvs server'?  I can see both setups being
> useful...  an admin who allowed users access to the CVS repository would
> probably prefer not to allow the config file to be specified whereas an
> admin who restriced the command that SSH users could run to a particular
> shell script that provided the -c option wouldn't mind...  perhaps it
> should be a compile time option, with the default to disallow it.

On further consideration, if we are going to consider a configurable
config path with other CVS modes a security risk, then using it with
pserver has to be considered a security risk too.  There is nothing
stopping a creative user with shell access to a machine from using
pserver mode to access their repository.

I might argue that any administrator worried that much about security
should be disabling shell access to the machine anyhow, which would deal
with any insecurity resulting from a configurable config path, but I
don't feel so strongly about it that I wouldn't happily install it as a
compile-time option that defaults to off.



Bug-cvs mailing list

Reply via email to