[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS, SSH, (Light) Security

From: Greg A. Woods
Subject: Re: CVS, SSH, (Light) Security
Date: Thu, 7 Mar 2002 14:28:08 -0500 (EST)

[ On Thursday, March 7, 2002 at 17:52:01 (GMT), Richard Caley wrote: ]
> Subject: Re: CVS, SSH, (Light) Security
> But if I start some policy of controling individual file permissions
> it means some poor sod has to make sure every file checked in has the
> right permissions, or a regular process does. Yeuch.

The point is that you cannot easily implement any policy that control
access to individual files.  CVS only works normally with per-directory
access controls.  You can muck about with scripts called by commitinfo,
but that's not really guaranteed to be secure -- it would just be
"advisory" security.

> And if they can write the directory to make a lock file/directory they 
> can presumably check in new files and who knows what else might sneak
> through. 

Yes, that's exactly right, which is why you need to move the lock
directories somewhere else.

> If CVS created it's lock files outside the repositary itself, then
> simple access controls on the whole repository would work and that
> would be much cleaner. Then I could put each  module directory in the
> repository into it's own group and control access that way.

Indeed.  That's why CVS has this feature that everyone's been trying to
tell you about.  Here's the blurb from the manual (in the "config" node):

     Put CVS lock files in DIRECTORY rather than directly in the
     repository.  This is useful if you want to let users read from the
     repository while giving them write access only to DIRECTORY, not
     to the repository.  It can also be used to put the locks on a very
     fast in-memory file system to speed up locking and unlocking the
     repository.  You need to create DIRECTORY, but CVS will create
     subdirectories of DIRECTORY as it needs them.  For information on
     CVS locks, see *Note Concurrency::.

     Before enabling the LockDir option, make sure that you have
     tracked down and removed any copies of CVS 1.9 or older.  Such
     versions neither support LockDir, nor will give an error
     indicating that they don't support it.  The result, if this is
     allowed to happen, is that some CVS users will put the locks one
     place, and others will put them another place, and therefore the
     repository could become corrupted.  CVS 1.10 does not support
     LockDir but it will print a warning if run on a repository with
     LockDir enabled.

The lock heriarchy could even be world writable, and certainly it needs
to be writable by the unprivileged user-ID used to grant anonymous
read-only access.  You'll have to keep your eyes on it anyway lest a
vulnerability in CVS somehow allow anonymous users to write arbitrary
data to it.

                                                                Greg A. Woods

+1 416 218-0098;  <address@hidden>;  <address@hidden>;  <address@hidden>
Planix, Inc. <address@hidden>; VE3TCP; Secrets of the Weird <address@hidden>

reply via email to

[Prev in Thread] Current Thread [Next in Thread]