-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Julian Opificius <[EMAIL PROTECTED]> writes:
> Larry Jones wrote: > > Julian Opificius writes: > > > >>I'm not quite sure what you mean by "mapping" users. > > Using the third field of the CVSROOT/passwd file to have the server > > run > > as some user other than the actual user. > > > Yep, that's what I am/was doing. > > > >> I want each user to have his own login to the system, and I want to > >> control access to CVS repositories on a per-user basis, which is > >> why I use pserver. > > There's no need to use pserver for that. In fact, pserver is a giant > > security hole that is best avoided. Since you're giving your users ssh > > access to the server anyway, the best thing for you to do is to use > > :ext: mode with ssh rather than rsh (which should be the default if > > you're running CVS 1.12). Each user logs in as themselves and you can > > then use ordinary file permissions to control who has access to > > what. See the manual for details: > > <https://www.cvshome.org/docs/manual/cvs-1.11.20/cvs_2.html#SEC13> > > -Larry Jones > > > I have one more issue that affects my choice that I should have > mentioned earlier. We are working in an FAA-regulated environment, and > my CVS respository must be secure, in that nobody can impair the > lifecycle data, and all accesses must be documented and controlled, > i.e.e all accesses must be via the cvs server. This is why I chose > pserver in the first place. > > How can I maintain this level of integrity without pserver: keeping > the repository itself inaccessible, while allowing write access > through cvs? Using ssh in a restricted execution mode in general and for restricted execution of CVS is discussed in many places. I suggest you may find more reading useful... try these documents: http://www.idealx.org/doc/chrooted-ssh-cvs-server.en.html http://www.prima.eu.org/tobez/cvs-howto.html http://www.informatimago.com/linux/chrooted-ssh-cvs.html You may also find other documentions via your favorite search engine. Enjoy! -- Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFCwF2X3x41pRYZE/gRAv1sAJ0e08Qbt74VqXR4ELjguqFkoruPPwCdHKna u9OpZ7vumWiDN1fHzzEFa/s= =sqVv -----END PGP SIGNATURE----- _______________________________________________ Info-cvs mailing list Info-cvs@gnu.org http://lists.gnu.org/mailman/listinfo/info-cvs
