[cvsnt] linux host, and ACLs

bwhicks at aep.com bwhicks at aep.com
Fri Oct 20 15:53:57 BST 2006


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


cvsnt-bounces at cvsnt.org wrote on 10/20/2006 10:35:50 AM:

> Hmm... "unless you are doing something extremely dumb..."

> Reason: the box is *not* dedicated,  every user will have shell 
> access to the machine, I need this feature for other purposes.
> 
> Remember: It's a unix server, and every user will have a shell
> account on the machine. They will, via their shell account, be 
> able to "cd /to/places" on the same file system as the 
> repository. Thus, I believe it is much like ":local:"

This changes EVERYTHING.

if they have a shell account, they can already "cd /whatever/they/want", 
unless you've used filesystem acl's to prevent them. the problem with CVS 
though, especially CVSNT, is that it's designed for use as a networked 
server. So all of the security bits follow this idea. If you use :local:, 
all of the server stuff is bypassed. you're left with whatever the 
filesystem ACL's can do for you. 

here's what you need to consider. doing a "cd /" and poking around is 
totally separate from anything cvs related. this should be secured in 
whatever way you deem appropriate. you MAY want to chroot your cvs stuff 
so users can't do any permanent damage to the main system. since this 
isn't dedicated, what else do users do on this thing besides CVS that 
could also be a security problem?

Also, as far as CVS is concerned, remember that users will need filesystem 
write access in order to do commits. this basically means that they can 
seriously damage/modify the actual repository (the ,v files) any way that 
they choose. make sure they only have access to what they need to have 
access to, and make sure they understand that they shouldn't do something 
stupid like "vi somefile.txt,v" or "cvs ci -m'doing something stupid 
here...' somefile.txt,v". 

Good luck. 

Brian


More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook