info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linux security issues as they pertain to CVS


From: Greg A. Woods
Subject: Re: Linux security issues as they pertain to CVS
Date: Fri, 25 May 2001 20:47:46 -0400 (EDT)

[ On Friday, May 25, 2001 at 14:51:41 (-0700), Mark wrote: ]
> Subject: Re: Linux security issues as they pertain to CVS
>
> It is a large company and a lot of red tape to get anything done.
> I've had all of 45 minutes with the System admin about getting CVS
> setup since I started. He would prefer not running CVS running as
> root, and if root has to run it they would have to own CVS, test it
> and create a whole new line of red tape for
> changes/updates/patches.

I don't see the problem.   CVS via SSH never runs as root.  Just use it!

> I have seen people mention pserver can be run from a non-root used,
> after hours I searching the archives, that web site was the only
> real description on how to do it.

It's trivial (though I don't know if the code has been broken to make it
not actually work in practice)!  Just don't use "root" in the user field
in the /etc/inetd.conf entry for pserver!

You have to have root privileges to set it up, of course.....

> I think pserver should be improved on to reach a reasonalble secure
> level or operations (I've leave that to those more experienced in
> security that I).

The problem is that pserver cannot be made secure.  Literally cannot.
It runs on a raw, insecure TCP circuit and is subject to all kinds of
man-in-the-middle attacks, connection hijacking, spoofing, etc.

If you don't want huge amounts of security then use rsh instead of ssh.

However if, as in your case, your security officer won't allow .rhosts
then you need to consider that perhaps you *do* need something
semi-secure and as such your very best choice is SSH (because it already
works and there's a vast body of experience with it).

> I think a good explaination of how to run pserver as a non-root
> user would be good to have in the CVS manual.

Me too!

> I think psever (as root or non-root) may be fine for most
> companies, running behind a firewall and not servicing clients from
> the internet.

Maybe.  Most security problems lie on the inside of the firewall though.
 
-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]