[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Boot CVS: aph

Erik Andersen <andersen@codepoet.org> writes:

> On Mon Nov 13, 2000 at 11:02:53PM -0800, Joey Hess wrote:
> > Adam Di Carlo wrote:
> > > BTW, there's something wrong with the scripts where they are saying
> > > all the changes are by me, which is wrong.
> > 
> > I'll bet it's people committing with the pserver all come out as you,
> > since the commits actally happen as you. My couple of commits today
> > correctly showed they were commited by me, since I used ssh.
> I just took a look at /cvs/debian-boot/CVSROOT on cvs.debian.org and there are
> problems with some cases.  The password file is only needed to allow pserver
> access for people _without_ system accounts.

Yes, I know.

> The need for the:
>     annonymous:<crypted passwd>:<some other user with a system account>
> syntax (which is used exclusively at the moment in the boot-floppies
> CVSROOT/passwd file) is only for the case when the user being granted access
> does not have a system account.

Sure sure...

> For example, (I'll pick on tausq since he is in the boot-floppies passwd file)
> for tausq, there is an entry in passwd, which is being mapped to aph. But tausq
> has an account on the system.  So if tausq commits something using pserver, it
> will appear that aph committed the change.  Since tausq has an account on the
> system, his system account automagically grants him pserver access, so the
> entry in /cvs/debian-boot/CVSROOT/passwd for him should be removed.  If tausq
> wanted to use a different password (other then his usual system password) for
> pserver access, then he would simply have a passwd entry like so:
>     tausq:<crypted passwd>

As far as I'm concerned, users with system accounts should not use
pserver at all.  It's insecure.

I'll remove tausq but if there are any other incidents, they are
purely things which should be removed.

Anyhow, it has little to nothing to do with the bug in the CVS emails.

.....Adam Di Carlo....adam@onShore.com.....<URL:http://www.onShore.com/>

Reply to: