bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS Security Issues


From: Derek Robert Price
Subject: Re: CVS Security Issues
Date: Thu, 18 Dec 2003 17:21:11 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Sutton wrote:

>On 12/18/03 14:26:26, Derek Robert Price wrote:
>
>>Hash: SHA1
>>
>>The idea of both is to make it harder to overwrite the CVSROOT/passwd
>>file and gain root.  I've actually just commited a fix that will be
>>released soon with 1.11.11 & 1.12.5 which causes CVS to refuse to
>>continue running if the system user specified in CVSROOT/passwd maps to
>>root, but that doesn't stop anyone with write access to the
>>CVSROOT/passwd file from assuming any other UID they'd like.
>
>
>I posted a patch long ago that did just this for pserver connections.
>If the mapped name correlates to root (uid 0) then access is denied.


Sorry I missed your earlier patch, but I already commited this one and
it's in the 1.11.11 & 1.12.5 releases.  This email was actually asking
about two different patches.  :)

Derek

- --
                *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
- --
A handy telephone tip: Keep a small chalkboard near the phone.  That
way, when a salesman calls, you can hold the receiver up to it and run
your fingernails across it until he hangs up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/4ihWLD1OTBfyMaQRAt5QAKD/ZjH7Hdb7dEjPCqpNZBn+QeXj+QCgkTU6
TU/hpcVRYOugh1/OUmn3GLA=
=7Kr9
-----END PGP SIGNATURE-----






reply via email to

[Prev in Thread] Current Thread [Next in Thread]