[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: Greg A. Woods
Subject: Re: CVS & SSL
Date: Thu, 31 May 2001 01:40:00 -0400 (EDT)

[ On Thursday, May 24, 2001 at 15:26:17 (-0400), Derek R. Price wrote: ]
> Subject: Re: CVS & SSL
> By limiting CVS to :ext: you are limiting the choice of security models to 
> those
> which provide _shell_accounts_on_the_server_!  The socket provider model 
> allows for
> any sort of security model that can provide a tcp connection and uses its own 
> methods
> to determine user names for the logs.  As for the security of the pserver 
> auth for
> log names, well, yeah, it's fairly insecure.  An appropriate and backwards 
> compatible
> upgrade for this might be something like PAM.  Of course that probably 
> doesn't work
> for all platforms.  I believe Alexey Mahotkin did this for nserver already, 
> so we
> might see it in CVS if his code ever makes it into a mergable state.  His 
> recent
> questions lead me to believe he is at least updating his changes to work with
> 1.11...  :)

You've missed a *HUGE* hole in your argument.

By allowing *anyone* to use CVS on your machine you are very nearly
granting them shell access anyway!  If you do so in a totally
unaccountable way (i.e. with pserver) then you've just lost the
integrity (and thus the security) of your repository.

I.e. CVS cannot guarantee that it will not allow a remote user to
execute any arbitrary command (and indeed maybe even any arbitrary code
whatsoever).  There is no inherent security in CVS -- anyone who can
execute it can probably do anything as the user it executes as.

If you want to set up a repository that's owned and accessible by a
pseudo-user to which any number of other real-world people may be
authenticated and authorised to use, then that's your business.  However
any claim that such a repository is secure is bogus.  All you've done is
created a shared account which owns the repository and thus you have no
real accoutability whatsoever.  Anyone can change the repository (or
anything else on the system owned by the same user and at the same time
they can probably even mis-direct blame to any other user with access to
the shared account.  It's not as bad as giving everyone the root
password, but it's not much better from the point of view of anyone
concerned with the integrity of the repositoyr.

What's even worse is the scenario where some poor fool runs CVS as root
with only pserver passwords.  The result there is that he's effectively
turned all the accounts mapped by pserver into a common pool of shared
accounts!  Anyone can possibly be anyone else and do anything!  All
accountability is totally gone out the window, especially since the
average naive admin who doesn't understand this issue will easily be
mis-directed into placing any blame on an innocent party!

I.e. pserver alone is rather stupid (because it's really not necessary),
but pserver started as root with setuid to other users is down right

                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]