httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Kosut <>
Subject Re: fetching from-cvs
Date Wed, 16 Jul 1997 17:59:51 GMT
On Wed, 16 Jul 1997, Dean Gaudet wrote:

> What are the security implications of making a user id anoncvs, not in
> group httpd or cvs, and who can only log in via ssh, without a password
> and execute the command "cvs server" ?

Does ssh allow you to control what commands the user can execute? I'd be
worried about giving an anonymous user access to a tool designed to open
a shell.

The way this is usually done is using pserver. It's designed only for
accessing CVS, and also comes built in to CVS (you don't need to install

> Rasmus how is it that you do anoncvs again?  We could really use it on taz
> I think. 

I think it is. OTOH, there are security risks with pserver, and if we set
up an anonymous CVS account, there can be little tracking done of who
does what (except for logs of remote hostnames, I guess).

One option might be to set up an insecure machine (i.e. one that doesn't
have anything critical to the Apache Project or to anyone else's stuff),
have it mirror the repository, and set up anon-cvs on that machine.

Or we could just make sure pserver is safe. :)

-- Alexei Kosut <>

View raw message