I'm not sure I understand everything you have explained. Please bear with me since I am fairly new to linux from a setup pov. I don't intend to have "cvs users" be actual system accounts. I am simply trying to alias them onto an existing system account which I can control. The problem I'm running into is that the if I alias to an account other than the account (cvsadmin) running CVS, I can't do any operations unless I change uid/gid on /usr/bin/cvs - which I believe is a hack. ----- Original Message ----- From: "David Blevins" <david.blevins at visi.com> To: <tclug-list at mn-linux.org> Sent: Tuesday, April 02, 2002 1:51 PM Subject: RE: [TCLUG] RedHat7.2 and CVS questions > > > Shal Jain wrote: > > > > if <system_user> happens to be 'cvs', then all operations work correctly > > if <system_user> is another user that belongs to 'cvsgroup', I get errors > > regarding setgid/setuid > > > > The only way I have been able to get rid of the error is by setting the > > uid/gid bits on /usr/bin/cvs > > i.e. chmod 6755 /usr/bin/cvs. > > > > I'm not sure if this is the appropriate course of action. > > There is not reason to run all the users against the repository with their > own account, in fact, I would see that as a security hole. From a > repository standpoint it doesn't make sense either, cvs already records who > made what changes and when. > > Also, don't give the user cvsuser access to the CVSROOT directory, create a > special account cvsadmin for those who you trust with your life! > > When some one checks a file into the main repository, cvs will execute the > commands it finds in files like CVSROOT/commitinfo and CVSROOT/loginfo > using. To top it off, anything you add to the file CVSROOT/checkoutlist > gets checked out into the CVSROOT directory of the server. With access to > the CVSROOT directory, you can simply add the CVSROOT/passwd file to the > CVSROOT/checkoutlist, then simply check in a passwd file and add users as > you please. Nothing is stopping you from adding other users to run as root! > Once they have root and the ability to execute commands, it's all over. All > this with CVS and pserver...evil. > > For maximum security, run a chroot'ed cvs. I don't see any howto's on > chroot'ing cvs specifically, but there is one on bind. The idea is the > same, you should be able to figure out how to setup cvs to run the same way. > > http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html > > For general cvs stuff, I recommend the book Open Source Development with > CVS. A real time saver. > > Good luck! > > -David > > > _______________________________________________ > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list