Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Somewhat of a security hole in CVSMarc Slemko (marcsZNEP.COM)
Fri, 29 Aug 1997 12:37:31 -0600
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Erik Troan: "rpm 2.4.6 (with /tmp fixes)"
- Previous message: The Nolander: "Re: Having fun with eggdrop bot"
- In reply to: Elliot Lee: "Somewhat of a security hole in CVS"
On Fri, 29 Aug 1997, Theo de Raadt wrote: > > Of course, having someone do a complete security audit of CVS wouldn't > > hurt either ;-) > > I looked at it a bit. It was above the quality of most GNU software. > I didn't pay any attention to pserver because I think it's yet-another > cleartext login method, and hence I would never use it. Sending passwords across the network in cleartext is the least of your worries with pserver. Two bigger concerns are that it runs on a unprivileged port from inetd which means on most systems you can steal connections away from it and grab the passwords (ok, so OpenBSD and some other OSes will stop you from rebinding to the port as a different uid, but all you have to do is make inetd give up and release it) and that the password used for access is stored unencrypted (trivially encoded, but not encrypted) on the local disk. > We actually prefer to use ssh/rsh access for the anoncvs servers, and > we have a chroot wrapper that starts the cvs command up within a > chroot space. It's basically as secure as ftpd's use of chroot. And > if they get a shell, they discover that the entire chroot space is > read-only. pserver is easy to setup that way too, assuming you already have read-only hacks in CVS such as the ones the OpenBSD source has. I prefer pserver to ssh for anoncvs because connection establishment time is lower. rsh is reasonable, but if you don't allow rsh connects to your machine... That all assumes, of course, that you aren't concered about getting hacked source from someone pretending to be the server. If you are, ssh is obviously the way to go. For real commit access to the repository, ssh is the best solution I have found. On Fri, 29 Aug 1997, Elliot Lee wrote: > If you run the CVS pserver as per the instructions in the CVS info page > (running it as root from inetd) anyone can get access to any account > except root (and perhaps root too - there may be CVS commands that run > scripts and don't check if uid == 0). If you don't run it as root they can > still get full access to the repository. This is old news. The latest cvs (1.9.14, perhaps .10 as well) has a --allow-root option that needs to be passed to it on the command line to tell you what repositires to allow access to. Then, of course, you have to be sure that $CVSROOT, $CVSROOT/CVSROOT and $CVSROOT/CVSROOT/* are not writable by anyone who shouldn't have root. Don't trust pserver is my best recommendation.