[EMAIL PROTECTED] on 06/08/2000 10:58:20 PM
>[ On Thursday, June 8, 2000 at 17:27:05 (-0400), Noel L Yap wrote: ]
>> Subject: Re: Proposal: have client CVS send remote username to server CVS
>>
>> My point was that, using this method, CVS will treat each of the many users
as
>> the one system user. Pserver doesn't do that. You can map many CVS users to
>> one user and CVS will know them by their CVS username, not their system name.
>
>Ah yes, but cvs-pserver can only map to multiple different system users
>if you run it as root, which no matter what anyone says is extremely
>risky. Many (most?) systems foolishly allow a process to regain its
>former privileges if great care is not taken, and on some I understand
>it is not even possible to prevent such re-instatement, thereby leaving
>CVS open to exploit throughout its entire body of un-audited code.
>
>If you run cvs-pserver as an ordinary system user then you cannot map
>CVS identities to any other system user.
You're missing the point entirely. It doesn't matter /how/ pserver is able to
map users or whether it's insecure. My statement was that such an ability is an
advantage. My proposal gives that advantage to SSH CVS without foregoing any of
the security (and, in fact, it'll have increased auditing abilities in scenarios
where mapping were used) since CVS will still be running as the system user.
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
