I'm not sure I understand everything you have explained.  Please bear with
me since I am fairly new to linux from a setup pov.
I don't intend to have "cvs users" be actual system accounts.  I am simply
trying to alias them onto an existing system account
which I can control.  The problem I'm running into is that the if I alias to
an account other than the account (cvsadmin) running CVS, I can't do any
operations unless I change uid/gid on /usr/bin/cvs - which I believe is a
hack.





----- Original Message -----
From: "David Blevins" <david.blevins at visi.com>
To: <tclug-list at mn-linux.org>
Sent: Tuesday, April 02, 2002 1:51 PM
Subject: RE: [TCLUG] RedHat7.2 and CVS questions


>
>
> Shal Jain wrote:
> >
> > if <system_user> happens to be 'cvs', then all operations work correctly
> > if <system_user> is another user that belongs to 'cvsgroup', I get
errors
> > regarding setgid/setuid
> >
> > The only way I have been able to get rid of the error is by setting the
> > uid/gid bits on /usr/bin/cvs
> > i.e. chmod 6755 /usr/bin/cvs.
> >
> > I'm not sure if this is the appropriate course of action.
>
> There is not reason to run all the users against the repository with their
> own account, in fact, I would see that as a security hole.  From a
> repository standpoint it doesn't make sense either, cvs already records
who
> made what changes and when.
>
> Also, don't give the user cvsuser access to the CVSROOT directory, create
a
> special account cvsadmin for  those who you trust with your life!
>
> When some one checks a file into the main repository, cvs will execute the
> commands it finds in files like CVSROOT/commitinfo and CVSROOT/loginfo
> using.  To top it off, anything you add to the file CVSROOT/checkoutlist
> gets checked out into the CVSROOT directory of the server.  With access to
> the CVSROOT directory, you can simply add the CVSROOT/passwd file to the
> CVSROOT/checkoutlist, then simply check in a passwd file and add users as
> you please.  Nothing is stopping you from adding other users to run as
root!
> Once they have root and the ability to execute commands, it's all over.
All
> this with CVS and pserver...evil.
>
> For maximum security, run a chroot'ed cvs.  I don't see any howto's on
> chroot'ing cvs specifically, but there is one on bind.  The idea is the
> same, you should be able to figure out how to setup cvs to run the same
way.
>
> http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html
>
> For general cvs stuff, I recommend the book Open Source Development with
> CVS.  A real time saver.
>
> Good luck!
>
> -David
>
>
> _______________________________________________
> Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul,
Minnesota
> http://www.mn-linux.org
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list