bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS Security Issues


From: Derek Robert Price
Subject: Re: CVS Security Issues
Date: Fri, 19 Dec 2003 13:31:35 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Walter, Jan wrote:

>The only reason to put the passwords somewhere else is to prevent someone
>from accidentally checking it out and accidentally changing or deleting
>someone elses' password and checking the file back in. It's a support
issue,
>not a security one, whether the user intended to change their password or


Actually, the party that requested the change and prompted me to start
this discussion stated a concern for the fact that anyone with write
access to CVSROOT could add passwd to CVSROOT/checkoutlist, `cvs add'
passwd via CVS, then commit it, causing the CVS server to create a
passwd,v that didn't previously exist and overwrite the existing (or
create) CVSROOT/passwd from the archive containing their version of the
passwd file.  Previously to 1.11.11, this could even be used to grant
them root privileges.

Now, the CVS manual does state that permissions on $CVSROOT/CVSROOT
should be controlled as tightly as those of /etc, rendering this point
somewhat moot since if permissions were controlled correctly, then this
wouldn't be able to happen.

It might be reasonable to move the most vulnerable files to a location
where sysadmins are already used to controlling the permissions tightly,
but many other fairly secure applications, Apache and qmail come
instantly to mind, do not seem to find it important to bother with
this.  Anyhow, my reporter was enthusiastic, but I wasn't so sure, so I
thought I would see what others thought about it.

Derek

- --
                *8^)

Email: address@hidden

Get CVS support at <http://ximbiot.com>!
- --
I will not fake my way through life.
I will not fake my way through life.
I will not fake my way through life...

          - Bart Simpson on chalkboard, _The Simpsons_
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org

iD8DBQE/40QGLD1OTBfyMaQRAtVoAKDU8iOxv8NIphOfMVUbX19n9sIvcgCfXN80
MMNXf147buRrclysvPVFEn4=
=MvXJ
-----END PGP SIGNATURE-----






reply via email to

[Prev in Thread] Current Thread [Next in Thread]