On Tuesday, August 08, 2000 6:14 PM, Justin Wells [SMTP:[EMAIL PROTECTED]]
wrote:
> On Mon, Aug 07, 2000 at 02:11:13PM -0400, Greg A. Woods wrote:
>
> > The *ONLY* secure way to use cvspserver is to rip out the current crap
> > in the implementation that requires it to run as root and then to run
it
> > only as a non-privileged unique user-id which is given permission to
> > read (and only read, i.e. it must be through group ownership) the
> > CVSROOT/passwd file.
>
> So, if I do that, how do I get access control lists? Currently the only
> reason why I have to run pserver as root is so that I can hand out
> write access to my repository on a module by module basis. Core
> developers get to write to every module, but some developers are only
> permitted to write to one or two modules. I do this by putting people
> into different unix groups.
>
> If there is some other way I can do this, without having to rely on
> unix groups, then I don't have to run pserver as root--and that *would*
> be a big improvement.
>
We use a commitinfo script to control who has commit priviledges to which
parts of the repository. Our pserver runs as a special user (under inetd)
with virtually no permissions except the ability to run cvs.
***************************************************************
Chris Cameron Open Telecommunications NZ Ltd
Senior Solution Architect
[EMAIL PROTECTED] P.O.Box 10-388
+64 4 495 8403 (DDI) The Terrace
fax: +64 4 495 8419 Wellington
cell: +64 21 650 680 New Zealand
Life, don't talk to me about life ....(Marvin - HHGTTG)
