bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVS Security Issues


From: Greg A. Woods
Subject: RE: CVS Security Issues
Date: Mon, 22 Dec 2003 02:05:13 -0500 (EST)

[ On Friday, December 19, 2003 at 18:04:42 (+0100), Walter, Jan wrote: ]
> Subject: RE: CVS Security Issues
>
> The only reason to put the passwords somewhere else is to prevent someone
> from accidentally checking it out and accidentally changing or deleting
> someone elses' password and checking the file back in. It's a support issue,
> not a security one, whether the user intended to change their password or
> someone elses' is another question entirely. But I think there is a 'gain'
> here by keeping the passwd file somewhere else where some git can't wipe all
> the users by accident and bring development to a grinding halt.

Sorry, but it _is_ a security issue.  If accidents can cause problems
with data used for authentication or authorisation then the causes of
those accidents are security issues.

Furthermore since this only gives a false sense of security, the whole
idea of making the change is a major security issue in and of itself.

> On security, you have two types of security anyways: 1) protection against
> malicious people and 2) protection for your data from accidental damage,
> deletion, or whatever ("protecting users from themselves"). CVS is part of
> category 2, obviously with the support of backup systems and so on.

Of course.

> Pserver
> figures into category 2 because you prevent the users from accidentally
> working in the actual repository and doing stuff like deleting directories.

Nope.  Pserver bypasses both types of security, even if the proposed
changes are made.  Pserver is _negative_ security, by its very definition.

-- 
                                                Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <address@hidden>
Planix, Inc. <address@hidden>          Secrets of the Weird <address@hidden>




reply via email to

[Prev in Thread] Current Thread [Next in Thread]