Home page logo

bugtraq logo Bugtraq mailing list archives

Re: CVS woes: .cvspass
From: Delian Krustev <krustev () krustev net>
Date: Thu, 5 Aug 2004 12:52:10 +0300

On Wednesday 04 August 2004 23:35, Greg A. Woods wrote:
Nope, sorry, but that's just not possible, at least not with CVS pserver.

What's not possible ? Using IPSEC ?!

The unix security model, within which CVS is designed and implemented to
work, _requires_ unique user-IDs for each and every unique human user.

This is in fact a basic, fundamental, requirement of all systems of this

I'm not sure what You mean by "human user". The users in cvs doesn't have
to be mapped to system users(CVSROOT/passwd).

CVS is not, and cannot be, a security tool so running it as root and
pretending to have it do all your authentication and authorisation flies
directly in the face of the underlying system security model and leaves
you with no real and verifiable accountability whatsoever, and it also
leaves you open to the possibility of yet another vulnerability vector
in the form of the unaudited CVS code base.  Remember that the vast
majority of all security incidents originate internally to the
organisations they affect.

You're right CVS is not a security tool. It's a version control system.
In fact, what You are talking about ? Do You remember what the subject
of the post You're replying to was ?


If you think your network is secure enough courtesy other mechanisms
then you can use RSH instead of SSH, but DO NOT try to use cvspserver
for anything but totally anonymous access.

There's a site outhere. It's sf.net . They demonstrate, with the number
of projects being hosted there (with pserver access), You're not right

The cvs server doesn't have to be run as root. IMHO it's pretty bad
idea to run it as root. Furthermore cvs provides several hooks, which
could be utilized if you need control at certain points and over
certain operations. E.g. commiters could be controlled by module and

About the password scrambling. It's well documented why it's like
that. The scrambling algorithm is also described. And it's all there.
In the manual. 
S.O. said that fake security is worse than no security. Password 
encryption in .cvspass should be considered "no security".

On the other side, people's stupidity is endless. I won't be surprised
to see private keys posted in a public forum. This, ofcourse, could
be nothing but a reason for admiration.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]