Restricting users from command prompts [was: (no sub)]

[Todd Denniston]

Rez P wrote, On 03/02/2009 01:03 PM:
> Hi all
>  
> Is there any way to set up CVS on a Redhat Linux server so users using wincvs on windows client machines could use the pserver method (or any method) to do regular CVS transactions (ci,co,add,etc) but don't actually have user id/pw on the linux server and no entries in /etc/passwd?  For security reasons we just want them to have access to the repository and not anything else on the linux server.
>  
> Thanks

http://ximbiot.com/cvs/manual/cvs-1.11.23/cvs_2.html#IDX87

http://ximbiot.com/cvs/manual/cvs-1.11.23/cvs_2.html#SEC32
second paragraph:
"On the other hand, once a user has non-read-only access to the repository, 
she can execute programs on the server system through a variety of means. 
Thus, repository access implies fairly broad system access as well. It might 
be possible to modify CVS to prevent that, but no one has done so as of this 
writing."

i.e., you may be (probably are) buying yourself nothing.  either you trust 
your users or you don't.
 From what I recall you can also configure SSH to only allow certain commands 
to be ran by certain users. I have never done it myself, but I understand it 
is possible, and when it comes to security I would trust the SSH code more 
than the CVS security code.

Good luck.
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter