Re: Problem with admin privileges

Tue, 05 Jul 2005 14:22:20 -0700 

Todd Denniston wrote:


Big question: What do you think using :pserver: at this point, gain you and

your users over just :ext: over ssh? 


Because they already have (and will continue to have) valid system shell
login, from here it only looks like more admin trouble to setup and maintain
pserver, plus it probably reduces the authentication or authorization you
had from the ssh and system level, especially when a new pserver hole comes
out.


How does a hole in pserver reduce security? Is ssh protecting me or not? 
  I realize that all security is additive, but pserver would seem to be 
no more than paint on the wall of ssh, meaning that if ssh goes down, 
pserver won't help, but then again it won't hinder either.





I have solved most of my admin problem by running admin users as their
themselves using $CVSROOT/CVSROOT/passwd entries like this:
 "username:password"
rather than as the global cvs user:
 "username:password:cvs"


<SNIP>

Why use the $CVSROOT/CVSROOT/passwd at all, just use the system
authentication fallback, it SHOULD make your life easier because only the
system level auth files need scrubbed when someone leaves not the system
level AND all the cvs repos.




The only reason I am using pserver is that it allows my users to have 
CVAS controlled access to the respositories without giving them dierct 
write access to them. If you can suggest another way of doing that, I'd 
be glad to use it.



From a security perspective, my understanding is that ssh gives me 
adequate protection from invasion from the outside world, (ssh is the 
only port mapped through NAT to the server) and I have not yet 
identified a need to protect my data from malicious intent from inside, 
so I'm not really sure what the risks of pserver over ssh really are.



As a final disclaimer: I'm an embedded software engineering manager, not 
a network guru, and the network is a means to an end, not a reason to 
live, so if I'm missing something, please feel free to snicker and roll 
your eyes - as long as you then enlighten me as to what I "should" be 
doing ;-)


Cheers!

julian.


_______________________________________________
Info-cvs mailing list
Info-cvs@gnu.org
http://lists.gnu.org/mailman/listinfo/info-cvs


























					Reply via email to