[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: "gserver currently only enabled for socket connections"
From: |
Brandon Craig Rhodes |
Subject: |
Re: "gserver currently only enabled for socket connections" |
Date: |
27 Jun 2002 17:00:43 -0400 |
User-agent: |
Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Common Lisp) |
address@hidden (Larry Jones) writes:
> Have you tried running the current development release to ensure
> that it really does fix the problem?
The current development version fixes the problem.
> There don't seem to be many users of gserver (prior to your bug
> report I'd have said there don't seem to be *any* users), so it
> hasn't been a priority.
We wanted secure connections without having to create logins on our
server for our CVS users. If the :gserver: method paid any attention
to the CVS `passwd' file then we maybe could have used the third field
to map every user on to the `cvs' account, but the :gserver: method in
fact ignores the `passwd' file - and indeed must, since the :gserver:
protocol does not provide the repository name until after the user has
authenticated.
In support of this method we have implemented two changes which may be
of general interest; I will probably post them after they are tested:
- In our modified CVS, gserver_authenticate_connection(...), instead
of calling switch_to_user(...) to assume another uid, which would
require our server to run as root, sets the `CVS_Username' global
variable so that the user's name will be checked against the
`readers' and `writers' files.
- Since the `readers' and `writers' files cannot be used to restrict
read access, we changed the rules and also simplified them: users
listed in `writers' can read and write; users in `readers' can
read; and users in neither lack all access. This was necessary so
the thousands of users in our Kerberos database would not be given
automatic read access.
Let me know if others are interested in these changes; both seemed
necessary to us to feel that we were running a secure service without
having to grant separate account access on our cvs server.
--
Brandon Craig Rhodes http://www.rhodesmill.org/brandon
Georgia Tech address@hidden