bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: denial-of-service attack prohibits all users from creating new repos


From: Mark D. Baushke
Subject: Re: denial-of-service attack prohibits all users from creating new repositories
Date: Tue, 01 Jun 2010 08:45:22 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bruno,

Bruno Haible <address@hidden> wrote:

> > The only workaround would be to use chroot...
> 
> Nice idea. But no, 'autopoint' should not require superuser privileges
> to run.

Yes, but it would more likely mean that the 'administrator' of the box
thought that the problem was okay to 'fix'.

> > If there is sufficient demand, a '-f' option to force overwrite of an
> > existing repository may be able to be added.
> 
> No one is trying to overwrite an existing repository. The problem is that the
> 'cvs init' command is looking at ../../../../../../.., a location far away
> from the current directory in the file system, and giving it more importance
> than the command line parameters.
> 
> Not "sufficient demand" so far? I have already pointed to 4 users who
> had the problem.

The reason the check exists is because users were 'accidentally'
creating new repositories inside of other repositories and 'avoiding'
the existing real 'CVSROOT' trigger scripts for tagging and committing.

The code to check up the path to see if the new directory is nominally a
subtree of an existing repository is to stop such behavior and could be
considered a security feature to the integrity of a CVS repository
(althogh, typically only 'important' if set-gid or set-uid cvs
executables are involved).

        -- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFMBSsSCg7APGsDnFERAn0nAKCvWTmNnlZC1tPSSO1y8OA5IzQy0QCgzvHc
pZO7MBKVUhRrCPgrzhpJcQw=
=PosX
-----END PGP SIGNATURE-----



reply via email to

[Prev in Thread] Current Thread [Next in Thread]