[Zope] permissions issues with a CVS interface
Dieter Maurer
dieter@handshake.de
Thu, 10 Apr 2003 19:56:07 +0200
Dennis Allison wrote at 2003-4-9 12:42 -0700:
> ...
> I see a couple of possibilities--perhaps the simplest is to make the
> 'nobody' group the CVS group. CVS explicitly disallows commits by
> root, but does not appear to disallow commits by 'nobody'. Alternatively,
> I could always spawn a suid process that performs the CVS task--but that
> seems overkill and a potential security hole.
The easiest way would be to add "nobody" to the group "cvs".
Whether this is a good idea depends on for what other purposes
you use "nobody".
The alternative would be to run Zope as a different user
which belongs to the group "cvs".
In all these cases, an attacker which successfully broke
into your Zope might get CVS access.
Dieter