httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: anonymous CVS access
Date Thu, 31 Jul 1997 19:11:54 GMT
On Thu, 31 Jul 1997, Brian Behlendorf wrote:

> At 12:19 PM 7/30/97 -0600, Marc Slemko wrote:
> >On Wed, 30 Jul 1997, Dean Gaudet wrote:
> >> What are you uncomfortable with? 
> >
> >Anyone can access the bugdb, 
> Nope, only folks whose passwords are in /export/apache/.htpasswd-dbm
> We could make that more secure by installing Apache-SSL too.

Login to taz.  edit-pr.

The way to fix the security would be to stop the setuid gnats programs
from being world executable and using suexec on a seperate virtual host to
run the bugdb script so it has access.

> >anyone can do silly things to let people get
> >access to the system, once they have a shell they probably can get root
> >somehow.  
> With any non-zero number of users, though, that's a given on any system.  I
> am actively shutting down inactive accounts, reminding people to change
> passwords when Crack shows them to be insecure, and I'm as cautious about
> accounts as I would be on an Apache-only machine - that is, I may not have
> met them in person, but they must have a good reference from someone who I

I sure hope not, unless you feel like a vacation in nice sunny Edmonton.

> have a high amount of trust in.

If each account has a 1% chance of being cracked, then if you have 200
acounts you have a 87% chance of being cracked while if you have 20
accounts you have an 18% chance of being cracked.  (yes, those numbers
have 0 meaning but my point is the more users the more risk.)

View raw message