Security concern CVSROOT

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security concern CVSROOT

From:	Martin Vogt
Subject:	Security concern CVSROOT
Date:	Wed, 25 Oct 2000 17:08:59 +0200
User-agent:	Mutt/1.2.5i

Hello,

whith the latest ssl patches and the cvsauth setuid wrapper
the CVS world looks a bit nicer from a systemadmin point of view.

There are still a few things which I dont like.

1. Authorisation
----------------

The authoriatsion mechanism. Currently the client sends
cvsroot,username,password 
in one single command.

If a setuid wrapper, like cvsauth gets such a request,
the user sends his clear text password if he accidently
type :pserver insteas of :sslserver

My solution to this: After the BEGIN AUTH REQUEST the
client has to wait on 
i)  START
ii) STOP

This give the server a possibility to stop "pserver" requests.


2. CVSROOT
----------

I dont like it that every user can remotely execute commands.
I like to have the ability that the mkmodules call is protected.
I like to have a config obtion in CVSROOT which do something like
this:

MkModules=/usr/sbin/alertsysadmin_by_mail

Or as default: leave it blank, then it rebuilds mkmodules.

CVSROOT is not changed very much, so it is acceptable that
it is done by some "admin"


Any ideas?


Martin

Btw: The signal/noise ratio on this list is very bad.

[Prev in Thread]

Current Thread

[Next in Thread]

Security concern CVSROOT, Martin Vogt <=
- Re: Security concern CVSROOT, Larry Jones, 2000/10/25
- Re: Security concern CVSROOT, Derek R. Price, 2000/10/28
- Re: Security concern CVSROOT, Noel L Yap, 2000/10/25
  - Re: Security concern CVSROOT, Dale Miller, 2000/10/25

Prev by Date: Re: Any body Integrated CVS with VC++ IDE
Next by Date: Re: Security concern CVSROOT
Previous by thread: Getting the version number in a "notify" message
Next by thread: Re: Security concern CVSROOT
Index(es):
- Date
- Thread