[Cvs-dev] interesting security problem

[Mark D. Baushke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Folks,

Consider the following:

   Administrator A creates an :ext:my-host.dom.ain/cvsroot repository
   The repository has many fun and interesting policies enabled by
   the triggers present in the /cvsroot/CVSROOT files.

   There exists a particularly interesting subdirectory

     src/projectA/subprojectB

   which a userX feels they MUST change, but they are prohibited.
   However, they are able to write to src/projectA files without
   any problems and allowed to write to subprojectB files when
   given special tokens for the verifymsg script to accept.

   userX executes the following commands:

     cvs -d :ext:my-host.dom.ain/cvsroot/src/projectA init
     cvs -d :ext:my-host.dom.ain/cvsroot/src/projectA co subprojectB
     cd subprojectB
     : make many changes
     cvs commit
     cd ..
     cvs -d :ext:my-host.dom.ain/cvsroot/src/projectA co CVSROOT
     cvs rm -f *
     cvs commit

   Now, unless folks are alert, their normal cvs checkout -P commands
   will never show them the src/projectA/CVSROOT directory in their
   trees and they will wonder why userX was able to commit without
   proper authorization.

Query: Is it desirable to determine if the path on a CVSROOT command is
already inside of an existing repository and disallow this behavior?

Obviously just prohibiting the 'cvs init' command may not be sufficient
as creation of a CVSROOT directory in a project along with populating it
manually would also have the same potential impact although at least in
that case the administrator may notice the creation of the new CVSROOT
directory.

        Curious,
        -- Mark

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (FreeBSD)

iD8DBQFE9fFwCg7APGsDnFERAnBnAKDTNDb6btzAv3KoEC2jLSujOntgeQCbB8QA
C/gpcq+baJfoZhP2Mfdg05k=
=p/Ou
-----END PGP SIGNATURE-----