On Wed, Sep 24, 2003 at 04:56:19PM -0700, Mike Castle wrote: > In article <[EMAIL PROTECTED]>, > Wim Bertels <[EMAIL PROTECTED]> wrote: > >Houdi, > >Its a remote clients/server setup, > >cvs is up and running, but by using the ext method users automatically gain > >shell access to the cvs server, this in NOT intended, how do you solve this. > >(i need to use ssh because i have to use pam_ldap to authenticate the cvs-users) > > I don't worry about it. > > Make sure nothing but CVS is on the machine, and users won't have access to > anything they don't already have access to. > > No additional risk.
Well, I wouldn't say that. A real shell enables them to : 1) permanently delete files under CVS control 2) run arbitrary commands (including commands they upload) 1 is bad enough, but 2 could allow them (or someone with access to their account) to use the server for any manner of attack on other servers either inside or outside of your organization. The only command they need to run is "cvs server", I don't see any reason to give more access than that if it's a CVS-only machine. -- Rob Helmer _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
