[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security, audits and pserver

From: Phil R Lawrence
Subject: Re: Security, audits and pserver
Date: Thu, 12 Dec 2002 14:54:53 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

um, I'm a newbie at CVS, so I've read more of the documentation than anything
else, but the answers I've seen so far for the security question seem to have
missed one vital point.  People have write access to spots in the repository,
therefore they, just like CVS, can write as they please to the ,v files. That
means that there is no guarentee that the history that is present in the
repository reflects the actual events in history.  This hole, even if it is not
exploited in an organization because everybody is "good", is still a hole, and
won't pass an audit.  What I'll be testing next week, is a CVS server where no
"users" exist in /etc/passwd, and all access rights are granted through pserver
mapping CVS user IDs to security accounts. The admin can still bypass audit
controls, but that's better than having my 1,000 users being enabled to. -CTH

what about this:

1. I set up cvs-admin as a user in /etc/passwd

2. I set up these groups in etc/group:
cvs-devel  (all developers are members, this group owns LockDir, etc)
cvs-devel-foo  (no one is a member)
cvs-devel-bar  (no one is a member)
cvs-devel-baz  (no one is a member)

3. then I make CVSROOT (/usr/local/cvs) look like this:
drwxrwsr-x    3 root          cvs-admin     4096 Dec 12 14:17 .
drwxr-xr-x   15 root          root          4096 Dec 12 13:49 ..
drwxrwsr-x    3 cvs-admin     cvs-admin     4096 Dec 12 14:17 CVSROOT
drwxrwsr-x    3 cvs-admin     cvs-devel-foo 4096 Dec 12 14:17 foo
drwxrwsr-x    3 cvs-admin     cvs-devel-bar 4096 Dec 12 14:17 bar
drwxrwsr-x    3 cvs-admin     cvs-devel-baz 4096 Dec 12 14:17 baz

Then, any user on the system can see the files, but there are no members of cvs-devel-foo, etc., so no one can modify.

Then I set up CVSROOT/passwd to map actual developer ids from /etc/passwd to the cvs-devel-foo groups.

Will cvs then allow the local developers to check-in, out, etc, via the mappings in CVSROOT/passwd, even though I'm not running pserver?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]