[ On Tuesday, May 16, 2000 at 14:17:31 (-0500), Andy Glew wrote: ]
> Subject: Re: CVS security: networked filesystems like AFS, client server,ssh
>
> I just read the paper on OpenBSD's "Anonymous CVS"
> system - pserver like, with an anoncvs account,
Yup -- but I still think an anonymous SSH account is even better. It
does introduce a lot more code into the path, but at least the common
SSH distributions have been fairly closely scrutinized. This gives
slightly more protection to the system since the only outside access
will presumably be restricted to a
> but read-only, on a dedicated machine, on a copy
> of the repository, in a mainly read-only chroot.
I thought all that was an obvious given for any "anonymous" access!
You've also removed the compiler and any general-purpose interpreters
with lots of kinds of system-call support (perl, python, php, etc.) too,
I assme.
Surely nobody allows anonymous access to their live repository now, do
they? That is an *extremely* risky thing to do, esp. given recent
public talk about so-called "security holes" in CVS!
(The chroot part though is optional as far as I'm concerned, assuming of
course that the box is really dedicated to just being an anonymous CVS
server and all other services disabled and even removed, and probably
with the repo copy retrieved over a second private ethernet interface
that's normally not configured except when the public one is off-line
during scheduled maintenance time.)
> *That* makes me feel sufficiently confident about security.
well at least then any damage is easily spotted and corrected....
> It's also note something that you are going to set up
> too often.
nope!
> I was interested to hear about CVSup. Does anyone on this
> list have experience with it?
I've used it to keep a copy of the FreeBSD repository in sync and it
works very well indeed.
You still probably want to run it it on a dedicated "anonymous-only"
system with a copy of the repository if you're going to allow anonymous
access to it.....
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
