Date: Sun, 25 Jan 1998 13:35:20 -0700 From: Nate Williams <nate@mt.sri.com> To: Eivind Eklund <eivind@yes.no> Cc: Nate Williams <nate@mt.sri.com>, Andreas Klemm <andreas@klemm.gtn.com>, hackers@FreeBSD.ORG Subject: Re: why not CVS server support ? Message-ID: <199801252035.NAA29032@mt.sri.com> In-Reply-To: <19980125205400.52069@follo.net> References: <19980125175618.10691@klemm.gtn.com> <19980125183247.09801@follo.net> <199801251932.MAA28784@mt.sri.com> <19980125203750.05884@follo.net> <199801251943.MAA28850@mt.sri.com> <19980125205400.52069@follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eivind Eklund writes: > On Sun, Jan 25, 1998 at 12:43:23PM -0700, Nate Williams wrote: > > > With the number of other security problems > > > it has had (allowing remote execution), I wouldn't consider that > > > secure, either - any kernel security hole that can be exploited by a > > > user program could still be abused. > > > > Umm, what kind of remote execution problems are you speaking of? > > PSERVER mode allows you to connet to a port and do remote CVS commands. > > Are you confusing PSERVER mode with standard RCVS mode which requires > > remote shell access? > > No, definately not. pserver mode allow the user to overwrite the CVS > wrappers, which again allow access to executing binaries. Nope, not if you know how to setup things in CVSROOT correctly. > This is a > security hole (of the same magnitude as allowing the user to execute > binaries directly). True, but it's not a security hole if you know how to set things up and read the information in the CVS distribution on it. > (IIRC, permissions can be walked around in pserver mode. I don't > remember quite how, though). They *could* be walked around, but that bug was fixed at about V1.9.6 I believe (and FreeBSD using 1.9.10 which is secure if the above number is correct..) > Besides, a restricted 'cvs server' shell is much easier to set up and > administer than 'cvs pserver' mode :-) Not really. 'cvs pserver' is piece of cake to setup *IF* you know what you are doing. :) :) Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199801252035.NAA29032>