From owner-freebsd-hackers Sun Jan 25 11:54:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10908 for hackers-outgoing; Sun, 25 Jan 1998 11:54:19 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10878 for ; Sun, 25 Jan 1998 11:54:07 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id TAA23256; Sun, 25 Jan 1998 19:54:01 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.6/8.8.6) id UAA18631; Sun, 25 Jan 1998 20:54:00 +0100 (MET) Message-ID: <19980125205400.52069@follo.net> Date: Sun, 25 Jan 1998 20:54:00 +0100 From: Eivind Eklund To: Nate Williams Cc: Eivind Eklund , Andreas Klemm , hackers@FreeBSD.ORG Subject: Re: why not CVS server support ? References: <19980125175618.10691@klemm.gtn.com> <19980125183247.09801@follo.net> <199801251932.MAA28784@mt.sri.com> <19980125203750.05884@follo.net> <199801251943.MAA28850@mt.sri.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <199801251943.MAA28850@mt.sri.com>; from Nate Williams on Sun, Jan 25, 1998 at 12:43:23PM -0700 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk On Sun, Jan 25, 1998 at 12:43:23PM -0700, Nate Williams wrote: > > With the number of other security problems > > it has had (allowing remote execution), I wouldn't consider that > > secure, either - any kernel security hole that can be exploited by a > > user program could still be abused. > > Umm, what kind of remote execution problems are you speaking of? > PSERVER mode allows you to connet to a port and do remote CVS commands. > Are you confusing PSERVER mode with standard RCVS mode which requires > remote shell access? No, definately not. pserver mode allow the user to overwrite the CVS wrappers, which again allow access to executing binaries. This is a security hole (of the same magnitude as allowing the user to execute binaries directly). If you instead give the user a normal account, set his shell to a script containing "cvs server", and only allow ssh access to your machines, you can use permissions to deny access to the wrapper files. (IIRC, permissions can be walked around in pserver mode. I don't remember quite how, though). Of course, even with a 'cvs server' shell you are vulnerable if there are overflows and similar in CVS. But you are at least only vulnerable to the users you actually give access, as snooping the passwords is no longer possible. Besides, a restricted 'cvs server' shell is much easier to set up and administer than 'cvs pserver' mode :-) Eivind.