info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: System password authentication


From: Greg A. Woods
Subject: Re: System password authentication
Date: Fri, 11 Apr 2003 18:20:28 -0400 (EDT)

[ On Friday, April 11, 2003 at 17:47:15 (-0400), Larry Jones wrote: ]
> Subject: Re: System password authentication
>
> Brian Murphy writes:
> >
> > But this code rejects a blank password "" given by the user, should that not
> > be accepted according to your explanation.
> 
> Mea culpa -- I was looking at the wrong code.  You were right, that code
> *is* checking the system password, not the repository password.  And
> you're also correct that it accepts a non-blank entered password as
> matching a blank system password but rejects a blank entered password. 
> I have no idea why -- the code seems to have been that way forever.  The
> fascist side of my personality wants to reject any attempt to use a
> system account with no password, the more liberal side says that if
> someone is stupid enough to have an account with no password then they
> deserve whatever happens (one can argue whether than means accepting any
> password at all or just a blank one).  Opinions from the peanut gallery?

This member of the peanut gallery maintains that CVS should never ever
look at any password, system or private, "blank" or completely unguessable.

CVS is not a security application and must not make authentication and
authorisation decisions.  Cvspserver should only be used for anonymous
read-only access, if indeed it is ever used for anything.

-- 
                                                                Greg A. Woods

+1 416 218-0098;            <address@hidden>;           <address@hidden>
Planix, Inc. <address@hidden>; VE3TCP; Secrets of the Weird <address@hidden>




reply via email to

[Prev in Thread] Current Thread [Next in Thread]