httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: fetching from-cvs
Date Sun, 20 Jul 1997 01:08:30 GMT
No.  No.  No.

Don't trust it, don't trust it, don't trust it.

If you want anonymous access to the repository, put it on a different
machine or a seperate copy of the repository on taz in a chrooted
environment with _nothing_ being run as root and no setuid binaries inside
the chrooted environment.

On Wed, 16 Jul 1997, Alexei Kosut wrote:

> On Wed, 16 Jul 1997, Dean Gaudet wrote:
> 
> > What are the security implications of making a user id anoncvs, not in
> > group httpd or cvs, and who can only log in via ssh, without a password
> > and execute the command "cvs server" ?
> 
> Does ssh allow you to control what commands the user can execute? I'd be
> worried about giving an anonymous user access to a tool designed to open
> a shell.
> 
> The way this is usually done is using pserver. It's designed only for
> accessing CVS, and also comes built in to CVS (you don't need to install
> ssh).
> 
> > Rasmus how is it that you do anoncvs again?  We could really use it on taz
> > I think. 
> 
> I think it is. OTOH, there are security risks with pserver, and if we set
> up an anonymous CVS account, there can be little tracking done of who
> does what (except for logs of remote hostnames, I guess).
> 
> One option might be to set up an insecure machine (i.e. one that doesn't
> have anything critical to the Apache Project or to anyone else's stuff),
> have it mirror the repository, and set up anon-cvs on that machine.
> 
> Or we could just make sure pserver is safe. :)
> 
> -- Alexei Kosut <akosut@organic.com>
> 


Mime
View raw message