Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Somewhat of a security hole in CVS
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Fri, 29 Aug 1997 11:51:35 -0600


Of course, having someone do a complete security audit of CVS wouldn't
hurt either ;-)

I looked at it a bit.  It was above the quality of most GNU software.
I didn't pay any attention to pserver because I think it's yet-another
cleartext login method, and hence I would never use it.

It is becoming increasingly used on the 'net for software
distribution - the OpenBSD project being an example - and it lacks some
basic features, such as integrated anonymous user support (without having
to make a separate user and run the server as root,

We've had people in our group try to use pserver. When they did, they
needed to make a change to the cvs source to permit anonymous user
access.

We actually prefer to use ssh/rsh access for the anoncvs servers, and
we have a chroot wrapper that starts the cvs command up within a
chroot space.  It's basically as secure as ftpd's use of chroot.  And
if they get a shell, they discover that the entire chroot space is
read-only.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]