[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Loophole in cvs_acls script allows restricted files to be committed
From: |
Peter Connolly |
Subject: |
Loophole in cvs_acls script allows restricted files to be committed |
Date: |
Thu, 18 Dec 2003 10:09:40 -0800 |
There appears to be a loophole in the cvs_acls script that allows
someone to bypass an 'unavail' on a specific file and commit changes to
that file.
It seems that all one needs to do is update another file in that same
directory. Then a commit of that unrestricted file will include the
restricted file, which commits successfully.
The avail file would look something like this:
unavail||CVSROOT/avail
avail|cvsadmin|CVSROOT/avail
So that only 'cvsadmin' should be able to update the 'avail' file.
But if a non-cvsadmin user updates **any other file** in the CVSROOT
directory (e.g., loginfo) and commits that file, the commit includes the
'avail' file and successfully commits it.
Here is some sample output when done under :ext: (ssh):
address@hidden ssh]$ vi CVSROOT/avail
address@hidden ssh]$ cvs ci -m"" CVSROOT/avail
cvs commit: Examining CVSROOT
address@hidden's password:
**** Access denied: Insufficient permission for this dir/file
(wimp|CVSROOT|)
cvs commit: Pre-commit check failed
cvs [commit aborted]: correct above errors first!
address@hidden ssh]$ vi CVSROOT/loginfo
address@hidden ssh]$ cvs ci -m"" CVSROOT/loginfo
cvs commit: Examining CVSROOT
address@hidden's password:
Checking in CVSROOT/avail;
/usr/cvsroot/CVSROOT/avail,v <-- avail
new revision: 1.7; previous revision: 1.6
done
Checking in CVSROOT/loginfo;
/usr/cvsroot/CVSROOT/loginfo,v <-- loginfo
new revision: 1.139; previous revision: 1.138
done
cvs commit: Rebuilding administrative file database
This exposure occurs under both pserver and ext access modes. Client and
server were using CVS 1.11.10 under Redhat Linux 9.0.
Any help would be appreciated...
pc
- Loophole in cvs_acls script allows restricted files to be committed,
Peter Connolly <=