[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVS Security Issues
From: |
Derek Robert Price |
Subject: |
Re: CVS Security Issues |
Date: |
Thu, 18 Dec 2003 17:21:11 -0500 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mike Sutton wrote:
>On 12/18/03 14:26:26, Derek Robert Price wrote:
>
>>Hash: SHA1
>>
>>The idea of both is to make it harder to overwrite the CVSROOT/passwd
>>file and gain root. I've actually just commited a fix that will be
>>released soon with 1.11.11 & 1.12.5 which causes CVS to refuse to
>>continue running if the system user specified in CVSROOT/passwd maps to
>>root, but that doesn't stop anyone with write access to the
>>CVSROOT/passwd file from assuming any other UID they'd like.
>
>
>I posted a patch long ago that did just this for pserver connections.
>If the mapped name correlates to root (uid 0) then access is denied.
Sorry I missed your earlier patch, but I already commited this one and
it's in the 1.11.11 & 1.12.5 releases. This email was actually asking
about two different patches. :)
Derek
- --
*8^)
Email: address@hidden
Get CVS support at <http://ximbiot.com>!
- --
A handy telephone tip: Keep a small chalkboard near the phone. That
way, when a salesman calls, you can hold the receiver up to it and run
your fingernails across it until he hangs up.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQE/4ihWLD1OTBfyMaQRAt5QAKD/ZjH7Hdb7dEjPCqpNZBn+QeXj+QCgkTU6
TU/hpcVRYOugh1/OUmn3GLA=
=7Kr9
-----END PGP SIGNATURE-----