Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

[Justin Wells]

On Thu, Aug 10, 2000 at 11:56:13AM -0400, Rich Salz wrote:
> My last word on the subject.
> 
> CVS requires everyone to be in your passwd file.  So does SSH, no?

With my --chroot patch this is optional. You can give everyone different 
uid's, or you can give them all the same uid. The password file that 
matters is not /etc/passwd but rather chroot/etc/passwd, since the
setuid happens after the chroot does.

You do need to list all your CVS users in the chroot/etc/passwd file, 
but you don't need to list them (and probably should NOT list them) in
your main password file. By not listing them in the main password file
you give them even less opportunity to break in since they don't actually
have valid accounts on the machine, even though they DO have uids.

I reserve a range of uid's for CVS (say 4000-5000). If you were really 
paranoid you could modify the --chroot patch code so that it makes sure
the resulting uid is in that range.

Justin