[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ANN: cvssh - secure ext-to-pserver bridge

From: Paul Sander
Subject: Re: ANN: cvssh - secure ext-to-pserver bridge
Date: Fri, 25 Jan 2002 11:30:27 -0800

>--- Forwarded mail from Greg Woods:

>[ On Friday, January 25, 2002 at 00:24:31 (-0800), Paul Sander wrote: ]
>> Subject: Re: ANN: cvssh - secure ext-to-pserver bridge
>> Applications don't require Unix user IDs to track their own user
>> bases.

>Yes, they do, since in particular this one uses the Unix filesytem and
>has no other means of controlling who has access to what.  And we're
>_not_ even talking about minimal C2 level security here.

Kindly take my comments in context:

>>Applications don't require Unix user IDs to track their own user
>>bases.  You don't need *Unix security* to have *good security*,
>>even on a Unix system.  But obviously if an application does away with
>>Unix security and all the stuff that goes with it, then it must replace
>>it with its own mechanism.  This clearly can and in fact is done; ask
>>anyone who provides applications that service more than 33000 users
>>on a Unix system.

Applications require a Unix user ID to run, especially if they write
to the Unix filesystem.  That's not the same thing as tracking their
user bases.  They can either use the mechanisms supplied with the Unix
system and use Unix user IDs, or they can roll their own security.
My point is that they don't *need* to do security the Unix way, if they're
willing to put in the work to do something else.  If the application uses
something else, then it's up to its implementors to decide what else, how
much, and how well.

Some would argue that the latter route is preferable, because if an
application runs without privilege in a regular Unix account with a
filesystem having minimal permissions (perhaps even a chroot jail if
the operator is paranoid) then security is increased.  The reason for
that is because if a user breaks out of the application, the amount of
damage he can inflict upon the system (as a whole) is limited.

But because such a rogue user can potentially damage the application
significantly, there is incentive for the application developers to
do their security right.

CVS' pserver mode implements its own security.  It's up to the CVS
developers and the pserver mode users to decide if the security is
good enough.  If it's not, then pserver mode should be fixed, or the
users should use another mode (as you suggest).  I argue the former,
whereas you argue the latter.

>--- End of forwarded message from address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]