[EMAIL PROTECTED] on 2000.08.08 02:14:08
>So, if I do that, how do I get access control lists? Currently the only
>reason why I have to run pserver as root is so that I can hand out
>write access to my repository on a module by module basis. Core
>developers get to write to every module, but some developers are only
>permitted to write to one or two modules. I do this by putting people
>into different unix groups.
>
>If there is some other way I can do this, without having to rely on
>unix groups, then I don't have to run pserver as root--and that *would*
>be a big improvement.
You might want to see if you're able to use file system ACL's for this purpose.
>Wrong again. There is only *one* problem with pserver that I cannot ever
>fix, and that is the problem with passwords being sent in the clear. Every
>other problem can be fixed, and every such fix is an improvement. My
>recent chroot patch fixed several problems, thereby improving pserver
>in several ways.
You might want to take a look at SRP. In the end, though, something must keep
the password on the client side. I'd rather have something like ssh-agent do
this than something built into CVS.
>Even the problem with cleartext passwords could be fixed, but that fix
>would require modifying the clients as well. In theory it would be just
>as easy to modify all the clients so they use your ssh solution instead
>so it's not as attractive to fix pserver completely.
The clients still store the password in an easily decryptable file. Either the
clients have to be changed, or pserver should be ripped out. From cvs-nserver's
abstract, I think it may solve many of the security problems.
Noel
This communication is for informational purposes only. It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its
subsidiaries and affiliates.
