[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CVS Security Issues
RE: CVS Security Issues
Fri, 19 Dec 2003 11:18:57 -0500
Greg A. Woods [mailto:address@hidden wrote:
> It would be much Much MUCH better to begin to deprecate any and all
> support for "cvs" passwords than to give any further support to the
> false illusion of any security someone might pretend to see in them.
> CVS pserver support is, just barely, safely usable _only_ for truly
> anonymous access (which normally also means read-only access)
> (and only
> then when there's some underlying network integrity protection),
> regardless of how your network works, which clients you use, etc.
> _ANYONE_ considering the use of some tool like CVS obviously
> also needs
> at least some degree of true security (i.e. authentication,
> accountability, _and_ integrity) -- otherwise they're doing worse than
> fooling themselves (they're fooling _everyone_ involved with
> using their
OK, I'm going to play dumb here (please, no accusations of "playing" :-).
Why is this level of security so important? Exactly what are the security
attacks you're concerned with?
Well, clearly pserver is not secure because the password is sent effectively
in plain text, allowing anyone with a packet sniffer to retrieve CVS
passwords. That's a big no-no on the security level. But this is
well-documented in the Cederqvist - as I recall, it says something along the
lines of "if you want real security, don't use pserver."
Let's look at where pserver will probably be used. It will not (if the CVS
admins have any sense) be used on repositories that are accessible from
"outsiders" (the Big Bad Internet, for example). Network access to the
server will be restricted. This divides the attackers into two categories:
the insiders and the outsiders. We can pretty much discount the outsiders -
they'll have to hack through firewalls, etc. to get in, and are more likely
to find other servers much more interesting than CVS. Unless you think that
I'm underestimating the mindset of corporate raiders, who might actually do
this kind of hacking to get at a competitor's intellectual property.
For the insiders, again there's a limit to how much the attacker can do.
Most users only want to know enough to run the basic checkin/checkout
commands. Unless they have direct access to the repository, there is very
little damage they can do that cannot be fairly easily undone. For the
knowledgeable user who knows how to inflict real damage on the repository,
*and* who has the desire to inflict such damage, moving to a more secure
protocol like kerberos will probably slow them down, but will not, in the
end, stop them from harming the repository. To paraphrase the well-known
saying, pserver is there to keep honest people honest.
I can envision a wide range of theoretical attacks that someone _could_ do.
But who would actually _do_ those attacks?
So, where am I deluding myself?
> I.e. please do not pretend you can gain anything by pretending to make
> the CVSROOT/passwd file harder to mess with.
That's a good point - as Bruce Schneier, author of "Applied Cryptography"
and a computer security expert, is fond of saying: Security is only as good
as its weakest link. For pserver, access to the passwd file is not the
weakest link by any means. Moving the file to a different location will not
significantly improve its inherent insecurity.
Senior Software Designer
Leitch Technology International Inc. (<http://www.leitch.com/>)
Columnist, C/C++ Users Journal (<http://www.cuj.com/experts>)