info-cvs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New update to the CVS ACL patch to support user groups

From: Greg A. Woods
Subject: RE: New update to the CVS ACL patch to support user groups
Date: Wed, 25 Jul 2001 11:48:48 -0400 (EDT) 
[ On Wednesday, July 25, 2001 at 10:09:52 (-0400), Noel L Yap wrote: ]
> Subject: RE: New update to the CVS ACL patch to support user groups
>
> Not if you're using SSH and limiting server-side commands to CVS (although
> nothing (including pserver) prevents users from hacking CVS or the repo to 
> gain
> more access than was intended).

Well, not _explicitly_, but....

Any vulnerability in CVS (or blatant known hole if the user has access
to any of the execution path for stuff in *info files, or the *info
files themselves, etc.) will _implicitly_ allow users to hack the repo,
and even to do it in such a manner that they can affect _any_ file that
_any_ CVS user has access to regardless of what any ACLs or permissions
prevent their ID from doing.

A security auditor will always assume that the user can get shell access
via CVS, even if you explicitly disable it from sshd.  Your external
security policy must take this into account and employ sufficient
deterrents to make it as unlikely as you need it to be.

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]