[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Setting up secure cvs server

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: Setting up secure cvs server
From: Joshua Rubin <joshua_(_at_)_cybertron_(_dot_)_cc>
Date: Sun, 28 Nov 2004 07:46:19 -0700

Thanks! I think I will have to implement something like that. :)

I am wondering if anyone has successfully chrooted cvsupd?

Also, does anyone know how I can set cvsupd to run as an unpriviledged user?

cvsupd will be the only cvs server I will be running, the actual cvs changes
will be made over ssh, like in Patrick's suggestion.

Thanks again,
Joshua

On Saturday 27 November 2004 10:58 pm, Patrick Giagnocavo wrote:
> On Sat, Nov 27, 2004 at 10:34:06PM -0700, Joshua Rubin wrote:
> > Hi,
> >
> > I am looking for some articles to aid in setting up a secure cvs and
> > cvsup server. I know that chrooting and using ssh are the way to go, but
> > I have found minimal information about how to do that. I would love to
> > set up remote password protected developer access without the obvious
> > risks of pserver, unchrooted and sending passwords in plain text.  Way
> > too many security issues with doing that...
>
> I can't speak to your developers, but this is what has worked for me:
>
> 1.  All developers who commit code get SSH access to the server, and
> use CVS over SSH to perform all CVS functions.  If you want to lock it
> down further, you can setup SSH to only allow certain commands to be
> run, which denies an attacker access to a shell if a developer's
> account is compromised.
>
> 2.  Anonymous checkout is done via allowing people to download
> tarballs and individual files via a Web interface.  There is a
> Python-based web GUI which can serve up a CVS repository, something
> like viewcvs.py .
>
> I don't run pserver, and have found that the combination of allowing
> developers easy commits, and everyone else easy source code access via
> the Web, in either file by file or tarball form, to be something that
> is acceptable.  It is a "good enough" solution, while being much more
> secure.
>
> Cordially

--
Joshua Rubin
Joshua_(_dot_)_Rubin_(_at_)_Colorado_(_dot_)_EDU
(303) 909-6199

http://www.cybertron.cc

Cassini Mission to Saturn
Ultraviolet Imaging Spectrograph (UVIS)
Assistant Team Lead

My PGP Public Key:
http://pgp.mit.edu:11371/pks/lookup?search=0xBECC02AE&op=index

[demime 0.98d removed an attachment of type application/pgp-signature]

References:
- Setting up secure cvs server
  - From: Joshua Rubin
- Re: Setting up secure cvs server
  - From: Patrick Giagnocavo

Prev by Date: Re: Location of aliases file when using Sendmail versus Postfix
Next by Date: Re: DVD Writers for Openbsd
Previous by thread: Re: Setting up secure cvs server
Next by thread: Re: Apache, chroot, Perl - SOLVED
Index(es):
- Date
- Thread

Visit your host, monkey.org