-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Walter, Jan wrote:
>The only reason to put the passwords somewhere else is to prevent someone >from accidentally checking it out and accidentally changing or deleting >someone elses' password and checking the file back in. It's a support issue, >not a security one, whether the user intended to change their password or Actually, the party that requested the change and prompted me to start this discussion stated a concern for the fact that anyone with write access to CVSROOT could add passwd to CVSROOT/checkoutlist, `cvs add' passwd via CVS, then commit it, causing the CVS server to create a passwd,v that didn't previously exist and overwrite the existing (or create) CVSROOT/passwd from the archive containing their version of the passwd file. Previously to 1.11.11, this could even be used to grant them root privileges. Now, the CVS manual does state that permissions on $CVSROOT/CVSROOT should be controlled as tightly as those of /etc, rendering this point somewhat moot since if permissions were controlled correctly, then this wouldn't be able to happen. It might be reasonable to move the most vulnerable files to a location where sysadmins are already used to controlling the permissions tightly, but many other fairly secure applications, Apache and qmail come instantly to mind, do not seem to find it important to bother with this. Anyhow, my reporter was enthusiastic, but I wasn't so sure, so I thought I would see what others thought about it. Derek - -- *8^) Email: [EMAIL PROTECTED] Get CVS support at <http://ximbiot.com>! - -- I will not fake my way through life. I will not fake my way through life. I will not fake my way through life... - Bart Simpson on chalkboard, _The Simpsons_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org iD8DBQE/40QGLD1OTBfyMaQRAtVoAKDU8iOxv8NIphOfMVUbX19n9sIvcgCfXN80 MMNXf147buRrclysvPVFEn4= =MvXJ -----END PGP SIGNATURE----- _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs