On Wed, Dec 02, 1998 at 02:40:25AM +0100, Niels M�ller <[EMAIL PROTECTED]> wrote:
> > Anonymous read-only CVS access is very important, I think.
>
> A agree. Do you think an http interface is good enough, for now, or is
> it crucial that it is accessible with the plain cvs client?
Personally, if I were working on the code, I would want to check out a
current copy, and then I would email you any patches by hand. So
actually being able to use the client would be pretty important.
> > > I'm not very familiar with the pserver-feature of cvs, but my impression
> > > is that it is not very secure.
> >
> > I'm not so sure about that. Several large projects like GNOME and mozilla
> > use it succesfully. Perhaps you can ask in comp.software.config-mgmt about
> > this?
>
> Quoting the cvs manual:
>
> Security considerations with password authentication
> ....................................................
>
> The passwords are stored on the client side in a trivial encoding
> of the cleartext, and transmitted in the same encoding. The encoding
> is done only to prevent inadvertent password compromises (i.e., a
> system administrator accidentally looking at the file), and will not
> prevent even a naive attacker from gaining the password.
>
> The separate CVS password file (*note Password authentication
> server::.) allows people to use a different password for repository
> access than for login access. On the other hand, once a user has
> non-read-only access to the repository, she can execute programs on
> the server system through a variety of means. Thus, repository access
> implies fairly broad system access as well. It might be possible to
> modify CVS to prevent that, but no one has done so as of this writing.
> Furthermore, there may be other ways in which having access to CVS
> allows people to gain more general access to the system; no one has
> done a careful audit.
>
> I should look closer at the pserver features, but I hesitate to allow
> anonymous users to execute cvs commands directly on the server. In
> particular as Lysator's backup system is not bullet-proof. At Idonex,
> the anonymous cvs server runs on a daily *copy* of the real
> repository, on a standalone machine; that arrangement makes me feel
> better.
Right, but all that's being suggested is anonymous read-only access,
which means that most of those two paragraphs apply (since there are no
passwords involved in anonymous access, and it says only that if a user
has non-read-only access they can execute commands.) Of course, the
last sentence of the second paragraph you quoted is always cause for
worry when running new servers on one's machine.
-Daniel
--
Daniel Eisenbud
[EMAIL PROTECTED]
[EMAIL PROTECTED] (try this one if the Berkeley address bounces)
