Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
John Kinson wrote: > If a user has commit access to CVSROOT they can do what they like with > the group and passwd files etc, regardless of whether they're under > version control or not. All a user need do is add the file as a new > file, include it in the checkoutlist, then the server-side file will be > replaced with the user's file when they commit. You can't add passwd to checkoutlist as it's special (if you try it CVSNT should stop you). I should add group to that list, too. If someone can write to group then they can potentially access any part of the repository, just adding the names of the users they want to impersonate on their group list (each 'user' is a group too). > Write access to CVSROOT needs to be locked down to administrators, and > the decision as to whether to place a CVSROOT file under version control > should be based on whether you want users to be able to read it, not > whether they should be able to write to it. That's a good way of putting it. If you set an ACL so that nobody but administrators can even checkout CVSROOT then it'll still work and be safe - the server itself accesses the files directly so doesn't need read access via that mechanism. Tony