[cvsnt] Re: How to use CVS init -r option ???

Bo Berglund bo.berglund at system3r.se
Wed Jun 28 12:41:58 BST 2006


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


On Wed, 28 Jun 2006 12:18:06 +0100, Tony Hoyle
<tony.hoyle at march-hare.com> wrote:

>David Somers wrote:
>> Tony Hoyle wrote:
>> 
>>>The whole thing probably needs a rethink for security purposes anyway.
>> 
>> 
>> I thought only a user with admin rights could do init -r, so its use is
>> already restricted to (hopefully) responsible admins.
>> 
>The problem is the potential for abuse, and accidents, even for admins. 
>  It's just a bit too unsafe for my liking at the moment.
>
>For remote repository init there probably needs to be a global root that 
>the new ones are created under - this stops people trying to create 
>repositories in random places on the disk, which is a situation I really 
>don't like (a cvs init in c:\windows could be rather a mess for 
>example.. especially if it wasn't caught for a while).
>

What I don't like is this:
A user is connecting using this string: :sspi:cvsserver:/repo1
Say that this user is mentioned in the admin file for repo1, it makes
him an admin for that repository (but not necessarily for another).

Now if this user is allowed to just arbitrarily send an init command
where he is also specifying a *physical* directory to create, where
would this put us? He could then create a dir on a nonsecured disk or
as you point out smack in the operating system realm!
Terrible situation in my mind.

I don't think that repository creation belong among the cvs commands
using anything but the local connection!

In order to make it available to a *system* admin to do remotely a
better way in my mind would be to make the CVSNT control panel
application able to connect via the network to the server PC and then
present the same dialogs as always in the control panel. This would
surely beat the discussed methods security wise.
On connection the system would validate the user as an admin too.

If you look at Microsofts RegEdit as an example it has a menu command:
File/ConnectNetworkRegistry that allows it to operate on a remote PC.
Similar for Microsofts Service Manager.

Could you not do it this way instead????


/Bo Berglund



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook