[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Cvs-dev] interesting security problem
From: |
Mark D. Baushke |
Subject: |
[Cvs-dev] interesting security problem |
Date: |
Wed, 30 Aug 2006 13:13:36 -0700 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Folks,
Consider the following:
Administrator A creates an :ext:my-host.dom.ain/cvsroot repository
The repository has many fun and interesting policies enabled by
the triggers present in the /cvsroot/CVSROOT files.
There exists a particularly interesting subdirectory
src/projectA/subprojectB
which a userX feels they MUST change, but they are prohibited.
However, they are able to write to src/projectA files without
any problems and allowed to write to subprojectB files when
given special tokens for the verifymsg script to accept.
userX executes the following commands:
cvs -d :ext:my-host.dom.ain/cvsroot/src/projectA init
cvs -d :ext:my-host.dom.ain/cvsroot/src/projectA co subprojectB
cd subprojectB
: make many changes
cvs commit
cd ..
cvs -d :ext:my-host.dom.ain/cvsroot/src/projectA co CVSROOT
cvs rm -f *
cvs commit
Now, unless folks are alert, their normal cvs checkout -P commands
will never show them the src/projectA/CVSROOT directory in their
trees and they will wonder why userX was able to commit without
proper authorization.
Query: Is it desirable to determine if the path on a CVSROOT command is
already inside of an existing repository and disallow this behavior?
Obviously just prohibiting the 'cvs init' command may not be sufficient
as creation of a CVSROOT directory in a project along with populating it
manually would also have the same potential impact although at least in
that case the administrator may notice the creation of the new CVSROOT
directory.
Curious,
-- Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (FreeBSD)
iD8DBQFE9fFwCg7APGsDnFERAnBnAKDTNDb6btzAv3KoEC2jLSujOntgeQCbB8QA
C/gpcq+baJfoZhP2Mfdg05k=
=p/Ou
-----END PGP SIGNATURE-----
- [Cvs-dev] interesting security problem,
Mark D. Baushke <=