Update of sr #723 (project savane):
Status: None => Need Info
Summary: savannah.conf.pl documentation lack of clarity
(user accounts) => sv_membersh configuration
_______________________________________________________
Follow-up Comment #3:
"This should almost certainly contain a warning that this should NOT be the
same directory as the shell accounts home directory of the host system!"
I admit it is not really documented, but you may want to have it in the same
directory as the shell accounts home directory of the host system. It depends
on what you are trying to do.
"As a side note, I don`t see anywhere, in ANY of the documentation, a
discussion of what the security and other rammifactions of all this user
account creation might be. Do these accounts have shells? Can people SSH into
them as if they were regular shell account holders? I find it rather
disturbing, very disturbing actually, that useradd is used to create actual
shell accounts (whether limited or otherwise) for people who are to be users
of a web-based system. This seems very strange and dangerous to me. Is it
impossible to give people CVS access to the project files without this? "
The only possibility to provide CVS access with SSH, so without shell
accounts, is to user CVS pserver. Considering the dramatic history of
security holes in pserver, we surely do not recommend such things and do not
even take into consideration that option.
"Just curious why the decision to use actual system-level accounts instead of
something more virtualized and secure, that insulates the system from the
potential hundreds-of-thousands of users a savane installation could create."
Because most services a development platform are nowadays based on SSH and on
unix rights for file access. So this require unix accounts.
And we feel more secure to use unix accounts (that are not insecure by
design, otherwise even using GNU/Linux would not be an option) than
reiventing a mecanism that would have to do exactly the same things than unix
accounts.
However, it is best to have system accounts and services in a chrooted
environment.
"Additional note: The savane-doc PDF does briefly explain what cvssh is, but
it would be helpful is users were told where to get it"
What you got is probably not was you want. cvssh was renamed sv_cvssh and is
now name sv_membersh...
It is part of Savane and anything else is not what we recommend you to use.
"sv_membersh not only uses a hard-coded path to it config file (bad!) it also
just doesn't seem to work - dies with an error regardless what argument is
passed to it, even when cvs, etc., are made allowable in membersh-conf.pl."
Can you provide a copy of your membersh-conf.pl?
What error message does it print exactly?
_______________________________________________________
Reply to this item at:
<http://gna.org/support/?func=detailitem&item_id=723>
_______________________________________________
Message posté via/par Gna!
http://gna.org/
