Jan Grant writes:
>
> In riposte, can I ask: why does pserver need --allow-root?
Because pserver typically runs as root and uses the client-supplied root
to look for a CVSROOT/passwd file that says who's allowed to log in and
who they should run as. If it weren't for --allow-root, someone with
access to the server machine could point pserver at an arbitrary root
directory that contains their own passwd file that lets them log in and
run as root (or anyone else, for that matter). Because server runs as
the actual user from the start, it's not subject to that kind of a
security problem.
> (a) defense in depth; (b) paranoia; (c) it's simpler; (d) there's a
> limit to the number of groups that a person can be in*.
I don't find any of those arguments persuasive.
-Larry Jones
It's clear I'll never have a career in sports until I learn
to suppress my survival instinct. -- Calvin
_______________________________________________
Info-cvs mailing list
[EMAIL PROTECTED]
http://mail.gnu.org/mailman/listinfo/info-cvs
