[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVS Security Issues
From: |
Derek Robert Price |
Subject: |
CVS Security Issues |
Date: |
Thu, 18 Dec 2003 14:26:26 -0500 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Two patches were recently brought to my attention. One moves the
CVSROOT/passwd file(s) into /etc/cvs.passwd
<http://www.xs4all.nl/~carlo17/cvs/index.html> and the other adds a
/etc/cvs-repouids which overrides any system users listed for users in
the CVSROOT/passwd file
<ftp://ftp.gnu.org/savannah/patches/wichert-cvs-patch.text>.
The idea of both is to make it harder to overwrite the CVSROOT/passwd
file and gain root. I've actually just commited a fix that will be
released soon with 1.11.11 & 1.12.5 which causes CVS to refuse to
continue running if the system user specified in CVSROOT/passwd maps to
root, but that doesn't stop anyone with write access to the
CVSROOT/passwd file from assuming any other UID they'd like.
Does anyone else have any opinions on this? I'm a little torn on the
issue (aside from the fact that I don't have time to write the
documentation for the patches just now). On the one hand, this could
move some of CVS's vulnerable files to a location where they are harder
to get at. On the other hand, CVS repositories have been mostly
self-contained for some time, and the documentation already makes it
clear that CVSROOT permissions should be controlled as tightly as
/etc's, so I'm not inclined to be swayed by the complaint that a simple
misstep in setting the group ownership of CVSROOT is all it takes to
open your system up to an already trusted user - the same could be said
for /etc.
Consolidation of vulnerable files might almost be a valid argument, but
I don't think I buy it. Plenty of other sensitive files are scattered
around /var and elsewhere by various programs and I hear few
complaints. Is there a standards document I should be reading?
Derek
- --
*8^)
Email: derek@ximbiot.com
Get CVS support at <http://ximbiot.com>!
- --
I've never made a mistake in my life. I thought I had once, but it
turned out that I hadn't.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQE/4f9hLD1OTBfyMaQRAhZTAJ4r7BdylGSUU66lyiftjTxIClRbXwCgqep7
FBWdVp8sUgZ2+432auNHFfE=
=f6Sq
-----END PGP SIGNATURE-----
- CVS Security Issues,
Derek Robert Price <=