On Thu, Dec 15, 2005 at 10:05:20PM +0100, Sylvain Beucler wrote: >Any progress on this issue? > >-- >Sylvain > >===== > >Package: cvs >Version: 1:1.12.9-13 >Severity: important > >The fact PamAuth is enabled by default looks like a security risk: > >When I import a repository from a non-Debian system, configured with >SystemAuth=no, I expect CVS not to fall back to the system for >authentication. > >But since PamAuth is enabled by default, and was not available on the >non-Debian system (so I am likely not to know about this parameter, >which is incidentally rejected by non-Debian versions of CVS), then >CVS actually does that fallback. > >The default value should be the same than SystemAuth; and only if >PamAuth is explicitely specified should CVS take its value into >account.
I disagree on the default config here. Many applications on a Debian system will use PAM for auth and user info by default, so I don't see a reason for CVS to be different. There is documentation in /usr/share/doc/cvs/README.Debian about this config... -- Steve McIntyre, Cambridge, UK. [EMAIL PROTECTED] "Since phone messaging became popular, the young generation has lost the ability to read or write anything that is longer than one hundred and sixty characters." -- Ignatios Souvatzis
signature.asc
Description: Digital signature
