Hi again! I did some more investigation and found out that some security-conscious people run pserver as unprivileged UNIX system user. As simply as putting into /etc/inetd.conf something like cvspserver stream tcp nowait cvs /usr/bin/cvs cvs -f \ --allow-root=/home/cvs/proj1-repository \ --allow-root=/home/cvs/proj2-repository \ ... \ pserver So all files will be strictly owned by this UNIX user cvs. The home directory of this user is obvious a place to put under all the repositories. Repository corresponds in this setup to a project. And /home/cvs could be given 700 rights. So no-one can enter from inside the UNIX machine but UNIX cvs-users. With each repositories CVSROOT/passwd file could be controlled what CVS users could access their specific repository. Like imre:56dgaE3xe0A8c:cvs heno:56dgaE3xe0A8c:cvs And no messing around with file and directory permissions inside the CVS repository and other surgerie! And it seems it works indeed! Please comment on running cvs pserver this way, i am sure i missed here something which may turn out like security flaw ... And last but not least, will pserver be running in further cvs versions also like undocumented in the http://cvshome.org/dev/patches/nonroot? Best Regards, Imre PS I think i can tolerate assumtion that inside a project ie repository CVS users of that repository should trust one-another. And there could be used cvsauth mechanics. PPS One last thing, please tell me how to use exactly external file instead putting the --allow-root=/repository into /etc/inetd.conf I tried like this, but it didne work for me :( /etc/inetd.conf: <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> cvspserver stream tcp nowait root /etc/repos pserver /etc/repos: #!/bin/sh exec /usr/bin/cvs cvs --allow-root=/home/cvs/repos $1 _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
