Re: cvs security problem

On Fri, 28 Jul 2000, Kev wrote:
> > I found two security problems in cvs-1.10.8.
>
> >From the CVS info page (Node: Password authentication security):
>
> The separate CVS password file (*note Password authentication
> server::) allows people to use a different password for repository
> access than for login access. On the other hand, once a user has
> non-read-only access to the repository, she can execute programs on the
> server system through a variety of means. Thus, repository access
> implies fairly broad system access as well. It might be possible to
> modify CVS to prevent that, but no one has done so as of this writing.
>
> (cvs version 1.10.7; I'd be suprised if .8 has changed that much in this
> respect.)
>
> This has been the case for quite some time. It would be nice if CVS
> could be made more secure, but it would probably take a lot of work.

A while ago, I wrote a simple cvs wrapper that takes away this "fairly
broad system access" by setuid() and chroot(). This is the easiest method
of limiting access granted by almost anything. Attached is source for the
wrapper. Being only 181 lines long, I should hope there are no blatant
errors in my code, but we all do stupid things. =)

My cvs server has a minimal set of files for a chroot()ed environment.
Following is a listing of my /usr/cvsroot.

It should be noted that cvs was never intended to be secure, but I find
that this wrapper does a nice job of ensuring minimal access.

Mike Eldridge

/usr/cvsroot:
total 6
drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 bin
drwxr-xr-x 9 cvs cvs 1024 Apr 4 14:07 cvsroot
drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 dev
drwxr-xr-x 2 cvs cvs 1024 Jun 1 14:26 etc
drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 lib
drwxr-xr-x 2 cvs cvs 1024 Jul 28 17:14 tmp

bin:
total 479
-rwxr-xr-x 1 cvs cvs 486932 Oct 2 1998 cvs

cvsroot:
total 7
drwxrwxr-x 2 cvs cvs 1024 Jun 1 14:18 CVSROOT

cvsroot/CVSROOT:
total 60
-r--r--r-- 1 cvs cvs 493 Nov 26 1999 checkoutlist
-r--r--r-- 1 cvs cvs 691 Nov 26 1999 checkoutlist,v
-r--r--r-- 1 cvs cvs 760 Nov 26 1999 commitinfo
-r--r--r-- 1 cvs cvs 958 Nov 26 1999 commitinfo,v
-r--r--r-- 1 cvs cvs 364 Nov 26 1999 config
-r--r--r-- 1 cvs cvs 562 Nov 26 1999 config,v
-r--r--r-- 1 cvs cvs 753 Nov 26 1999 cvswrappers
-r--r--r-- 1 cvs cvs 951 Nov 26 1999 cvswrappers,v
-r--r--r-- 1 cvs cvs 1025 Nov 26 1999 editinfo
-r--r--r-- 1 cvs cvs 1223 Nov 26 1999 editinfo,v
-rw-rw-r-- 1 cvs cvs 27000 Jun 9 14:18 history
-r--r--r-- 1 cvs cvs 1141 Nov 26 1999 loginfo
-r--r--r-- 1 cvs cvs 1339 Nov 26 1999 loginfo,v
-r--r--r-- 1 cvs cvs 1151 Nov 26 1999 modules
-r--r--r-- 1 cvs cvs 1349 Nov 26 1999 modules,v
-r--r--r-- 1 cvs cvs 564 Nov 26 1999 notify
-r--r--r-- 1 cvs cvs 762 Nov 26 1999 notify,v
-r--r--r-- 1 cvs cvs 649 Nov 26 1999 rcsinfo
-r--r--r-- 1 cvs cvs 847 Nov 26 1999 rcsinfo,v
-rw-r--r-- 1 root root 5 Jun 1 14:18 readers
-r--r--r-- 1 cvs cvs 879 Nov 26 1999 taginfo
-r--r--r-- 1 cvs cvs 1077 Nov 26 1999 taginfo,v
-r--r--r-- 1 cvs cvs 1026 Nov 26 1999 verifymsg
-r--r--r-- 1 cvs cvs 1224 Nov 26 1999 verifymsg,v

dev:
total 0
crw-rw-rw- 1 cvs cvs 1, 3 May 5 1998 null

etc:
total 2
-rw-r--r-- 1 cvs cvs 98 Nov 26 1999 ld.so.cache
-rw-r--r-- 1 cvs cvs 0 Nov 26 1999 ld.so.conf
-rw-r--r-- 1 cvs cvs 128 Jun 1 14:14 passwd

lib:
total 891
-rwxr-xr-x 1 cvs cvs 40452 Nov 26 1999 ld-2.0.7.so
lrwxrwxrwx 1 cvs cvs 11 Nov 26 1999 ld-linux.so.2 -> ld-2.0.7.so
-rwxr-xr-x 1 cvs cvs 650524 Nov 26 1999 libc-2.0.7.so
lrwxrwxrwx 1 cvs cvs 13 Nov 26 1999 libc.so.6 -> libc-2.0.7.so
-rwxr-xr-x 1 cvs cvs 181993 Oct 13 1998 libcrypt-2.0.7.so
lrwxrwxrwx 1 cvs cvs 17 Nov 26 1999 libcrypt.so.1 -> libcrypt-2.0.7.so
-rwxr-xr-x 1 cvs cvs 30172 Nov 26 1999 libnss_files-2.0.7.so
lrwxrwxrwx 1 cvs cvs 21 Nov 26 1999 libnss_files.so.1 -> libnss_files-2.0.7.so

tmp:
total 0