Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
On Mon, 19 Jul 2004 17:29:31 +0400, "Gennady G. Marchenko" <gennady.marchenko at iss.ru> wrote: >I belive what i may use cvsd with cvsnt and sserver protocol. >But cvsnt under root account insecure too, i need users for cvs from ldap server, but not see how i can use cvsroot/passwd file in openldap, but all system users already auth over ldap server, and cvsnt (start from root) with sserver protocol auth seccessfuly. but from non-root/chroot... have no luck :( > cvs drops privileges very quickly after it starts up (it just does enough to verify the user.. doesn't run anything external and only reads the CVSROOT/config file) so isn't particularly insecure under the root account... many thousands of sites run in that configuration without issue. If you want cvs to run under real system users it needs enough privileges to pretend to be them at least (on Windows you can disable that but it's one of those things I wish I'd never done...). The ability to force cvs to run under a single user on Unix may be useful to some, and is probably worth adding to the wishlist... can you file a feature request on the bug tracker? One solution may be to use ssh, which doesn't run as root and only requires that there's an account on the server for the user to ssh into (which may be locked down so it can only run cvs). There are various websites about this kind of configuration. Tony