Date: Mon, 26 Jan 2004 14:05:56 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: "Bruce A. Mah" <bmah@freebsd.org> Cc: cvs-all@freebsd.org Subject: Re: cvs commit: src/contrib/cvs/src server.c Message-ID: <20040126200556.GB76044@madman.celabo.org> In-Reply-To: <20040126165039.GC98500@intruder.kitchenlab.org> References: <200401260008.i0Q08cIl014780@repoman.freebsd.org> <20040126000922.GA6102@madman.celabo.org> <20040126004123.GJ53344@elvis.mu.org> <20040126125638.GC9772@madman.celabo.org> <4015377A.3000609@freebsd.org> <20040126165039.GC98500@intruder.kitchenlab.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 26, 2004 at 08:50:39AM -0800, Bruce A. Mah wrote:
> If memory serves me right, Scott Long wrote:
>
> [Lots of context snipped.]
>
> > I guess this means that an UPDATING entry is in order, along with some
> > special words in the release notes. Bruce?
>
> Added this to the release notes...someone feel free to correct me if
> further details are needed or if I got anything wrong (caffeine hasn't
> kicked in yet this morning).
Um, I feel there has been some misunderstanding here that might
explain why some folks were bent out of shape about this change for
5.2.1.
CVS ChangeLog and my commit message:
* pserver can no longer be configured to run as root via the
$CVSROOT/CVSROOT/passwd file, so if your passwd file is
compromised, it no longer leads directly to a root hack. Attempts
to root will also be logged via the syslog.
Bruce's relnotes blurb:
+ <para>&new.521; Two security fixes for <application>CVS</application> (one
+ related to pserver operation and the other dealing with
+ malformed module requests) have been backported from later
+ versions. One side effect of this update is that running
+ pserver as <username>root</username> (a configuration that was
+ already unsupported and insecure) no longer works.</para>
+
A comment from Xin Li:
: I think he may mean the configuration in /etc/inetd.conf, circa line 63,
: where the example shows how to run cvs pserver as root.
I think that `run as root' has been misinterpreted by some.
This change does *NOT* suddenly make an inetd.conf configuration line
like the following stop working:
cvspserver stream tcp nowait root /usr/bin/cvs cvs --allow-root=/your/cvsroot/here pserver
Rather, the change disables lines like the following in
$CVSROOT/CVSROOT/passwd:
luser:bxOZZuQd4CoXs:root
Without this fix, one who can modify $CVSROOT/CVSROOT/passwd would be
able to gain root access.
Cheers,
--
Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal
nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040126200556.GB76044>