This is the mail archive of the
mailing list for the Cygwin project.
ntsec+inetd+cvspserver (was CVS PServer problem)
- From: "Phil Dempster" <dempster at lsil dot com>
- To: <cygwin at cygwin dot com>
- Cc: "Geoff Soutter" <gsoutter at molten dot com dot au>, "'Charles Wilson'" <cwilson at ece dot gatech dot edu>
- Date: Wed, 30 Jan 2002 10:46:48 -0000
- Subject: ntsec+inetd+cvspserver (was CVS PServer problem)
I've managed to get CVS pserver running on Win2K (ntsec) and am in the
process of preparing some documentation for it. I'm trying to grasp just
how the user ID switching works when CVS is spawned from inetd.
I've found that it is not necessary to specify the user as `root' in
inetd.conf, for example `Guest' will suffice.
cvspserver stream tcp nowait Guest /usr/bin/cvs
cvs -f --allow-root=/usr/local/cvsroot pserver
I'd hoped that would make it a lot harder for anyone with malicious intent
to gain access via pserver. However, I'm not convinced that isn't a bogus
assumption. Does anything spawned from inetd run as the same uid as inetd
itself (i.e. System)?
I also have CVS users set up to use the Guest account (passwords in example
below are `sandwich' and `scratchings' respectively - I was hungry when I
set it up)
One of the recommended was of setting up CVS pserver is, I believe, to have
`cvs' and `cvsadmin' user accounts on the server PC, with normal multi-user
access using the (lower permission) `cvs' account. I've effectively done
this by having the administrative files owned by `Administrator' and the
rest of the repository owned by `Guest'. However, it seems to be possible
to checkout CVSROOT and commit changes to the administrative files (their
ownership is then set to Guest). This seems like unhealthy behaviour.
As a separate issue, although remote CVS pserver operations work correctly,
I get the message `cvs commit: reading from xx.xx.xx.xx: Connection reset by
peer'. I'm wondering if this is related to the issue described here:
Suggestions or constructive comments welcome.
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Bug reporting: http://cygwin.com/bugs.html