[cvsnt] Can I use pserver on Linux under not root account?
tmh at nodomain.org
Mon Jul 19 14:39:18 BST 2004
On Mon, 19 Jul 2004 17:29:31 +0400, "Gennady G. Marchenko"
<gennady.marchenko at iss.ru> wrote:
>I belive what i may use cvsd with cvsnt and sserver protocol.
>But cvsnt under root account insecure too, i need users for cvs from ldap server, but not see how i can use cvsroot/passwd file in openldap, but all system users already auth over ldap server, and cvsnt (start from root) with sserver protocol auth seccessfuly. but from non-root/chroot... have no luck :(
cvs drops privileges very quickly after it starts up (it just does
enough to verify the user.. doesn't run anything external and only
reads the CVSROOT/config file) so isn't particularly insecure under
the root account... many thousands of sites run in that configuration
If you want cvs to run under real system users it needs enough
privileges to pretend to be them at least (on Windows you can disable
that but it's one of those things I wish I'd never done...).
The ability to force cvs to run under a single user on Unix may be
useful to some, and is probably worth adding to the wishlist... can
you file a feature request on the bug tracker?
One solution may be to use ssh, which doesn't run as root and only
requires that there's an account on the server for the user to ssh
into (which may be locked down so it can only run cvs). There are
various websites about this kind of configuration.
More information about the cvsnt