[EMAIL PROTECTED] (Larry Jones) writes:
[...] > root is just another user as far as file ownership goes. If a file is > owned by joe and readable only by the owner, then no one other than joe > can read it (except for root) just like no one other than root can read > a root-owned file that is readable only by the owner. When a file is > readable only by the owner, there's no more or less security depending > on whether that user is root or some other user. I guess that is sort of true, but really its not quite right either. I would expect `roots' password to be carefully selected so that the likes of `john the ripper' wouldn't crack it easily. One thing I would expect a script kiddy to do is try to crack the password file. May not really be much of a problem with md5 passwords and shadow files but I once applied `john the ripper' to an older FreeBSD /etc/master.passwd on a machine with about 2000 users and had 1200 working passwords in about 15 seconds. Many of them were what is sometimes called `joe joe' passwords (user and passwd are the same). So may not be a fair comparison. Plus I alread had root, just to get to the master.passwd file. >> Further, if files on the local machine's checked out module are under >> root protection then an `update' by `joe' wouldn't overwrite them >> would it? >> >> Or if Joe tries to check out a module when in / or some other root >> only directory, he won't be able to right? > > In this case, you are still running as root on the local machine; you're > only running as joe on the server machine. Oh yeah, of course, that would be the case on the local machine... What was I thinking..? >> One last thing that doesn't seem to add up here. If suing with no `-' >> is ok for cvs how is not ok as `su -'. Seems the same kind of >> problems would obtain in either case. > > Because a simple `su' just changes your current user-ID. `su -' goes > out of its way to make it look exactly like you logged in as the other > user which generally prevents CVS from finding out who you really did > log in as. OK, I see how it would effect records inside cvs but, what I really meant was how does it make security problems any better or worse? That is, if sued with no `-' or not. In either case problems related to security would be the same wouldn't they? Thanks for the informative discussion. _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
