On Mon, 24 Apr 2000, Kris Kennaway wrote:
> On Mon, 24 Apr 2000, Kris Kennaway wrote:
>
> > of the filesystem used by CVS to maintain its lock state. It's also not
> > quite as serious as it might first sound, because anyone who can
> > legitimately connect to the CVS server remotely via CVS can cause a lock
> > to be taken out over any part of the repository, with the same effect.
>
> Sorry, but on further thought I don't think this is true. Locks are only
> acquired for CVS write operations, not read operations.
No, I was right the first time (pointed out to me by Peter Jeremy
<Peter.Jeremy_at_alcatel.com.au>) - both read and write operations will cause
file lock creation.
However, on FreeBSD, cvs clients can always use -R (readonly) for
checkouts, which will bypass any locking on the server (this will
therefore usually be much faster as well, since the client doesn't have to
lock as it traverses). So a malicious local user who creates faked lock
files in /tmp will only hurt external checkins, and one could argue that
you shouldn't be hosting your writable CVS repository on a host which
contains malicious users (or allows anonymous access), as a matter of
policy.
Kris
----
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe_at_alum.mit.edu>
Received on May 02 2000
Intro
