[5226] in bugtraq
Re: Somewhat of a security hole in CVS
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Fri Aug 29 14:08:06 1997
Date: Fri, 29 Aug 1997 11:51:35 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Elliot Lee <sopwith@REDHAT.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Fri, 29 Aug 1997 12:08:48 EDT."
<Pine.LNX.3.95.970829115337.4212F-100000@lacrosse.redhat.com>
> Of course, having someone do a complete security audit of CVS wouldn't
> hurt either ;-)
I looked at it a bit. It was above the quality of most GNU software.
I didn't pay any attention to pserver because I think it's yet-another
cleartext login method, and hence I would never use it.
> It is becoming increasingly used on the 'net for software
> distribution - the OpenBSD project being an example - and it lacks some
> basic features, such as integrated anonymous user support (without having
> to make a separate user and run the server as root,
We've had people in our group try to use pserver. When they did, they
needed to make a change to the cvs source to permit anonymous user
access.
We actually prefer to use ssh/rsh access for the anoncvs servers, and
we have a chroot wrapper that starts the cvs command up within a
chroot space. It's basically as secure as ftpd's use of chroot. And
if they get a shell, they discover that the entire chroot space is
read-only.
