bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVS Security Issues


From: Derek Robert Price
Subject: CVS Security Issues
Date: Thu, 18 Dec 2003 14:26:26 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Two patches were recently brought to my attention.  One moves the
CVSROOT/passwd file(s) into /etc/cvs.passwd
<http://www.xs4all.nl/~carlo17/cvs/index.html> and the other adds a
/etc/cvs-repouids which overrides any system users listed for users in
the CVSROOT/passwd file
<ftp://ftp.gnu.org/savannah/patches/wichert-cvs-patch.text>.

The idea of both is to make it harder to overwrite the CVSROOT/passwd
file and gain root.  I've actually just commited a fix that will be
released soon with 1.11.11 & 1.12.5 which causes CVS to refuse to
continue running if the system user specified in CVSROOT/passwd maps to
root, but that doesn't stop anyone with write access to the
CVSROOT/passwd file from assuming any other UID they'd like.

Does anyone else have any opinions on this?  I'm a little torn on the
issue (aside from the fact that I don't have time to write the
documentation for the patches just now).  On the one hand, this could
move some of CVS's vulnerable files to a location where they are harder
to get at.  On the other hand,  CVS repositories have been mostly
self-contained for some time, and the documentation already makes it
clear that CVSROOT permissions should be controlled as tightly as
/etc's, so I'm not inclined to be swayed by the complaint that a simple
misstep in setting the group ownership of CVSROOT is all it takes to
open your system up to an already trusted user - the same could be said
for /etc.

Consolidation of vulnerable files might almost be a valid argument, but
I don't think I buy it.  Plenty of other sensitive files are scattered
around /var and elsewhere by various programs and I hear few
complaints.  Is there a standards document I should be reading?

Derek

- --
                *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
- --
I've never made a mistake in my life.  I thought I had once, but it
turned out that I hadn't.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/4f9hLD1OTBfyMaQRAhZTAJ4r7BdylGSUU66lyiftjTxIClRbXwCgqep7
FBWdVp8sUgZ2+432auNHFfE=
=f6Sq
-----END PGP SIGNATURE-----






reply via email to

[Prev in Thread] Current Thread [Next in Thread]