[16011] in bugtraq
Re: cvs security problem
daemon@ATHENA.MIT.EDU (Greg A. Woods)
Sat Jul 29 16:37:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20000728200315.6621C8B@proven.weird.com>
Date: Fri, 28 Jul 2000 16:03:15 -0400
Reply-To: "Greg A. Woods" <woods@weird.com>
From: "Greg A. Woods" <woods@WEIRD.COM>
X-To: Tanaka Akira <akr@M17N.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <hvou2daoebb.fsf@serein.m17n.org>
[ On Friday, July 28, 2000 at 17:21:28 (+0900), Tanaka Akira wrote: ]
> Subject: cvs security problem
>
> I found two security problems in cvs-1.10.8.
>
> (1) A committer can execute any binary in server using
> CVS/Checkin.prog or CVS/Update.prog.
Yeah. So? This is meaningless. CVS is not designed to prevent this.
In fact quite the opposite -- it is assumed that CVS users with commit
access do have shell access to the CVS server.
In fact normally the "cvspserver" method of accessing a CVS repository
should only ever be used for anonymous read-only access, and even then
it is well known that shell access to the server may be possible (under
the user-id that the cvspserver daemon runs as, of course).
A properly configured CVS server will use a secure remote execution
facility (such as SSH) which by definition means that any committer will
have shell access to the server, but of course only under a properly
authorised user-id -- i.e. they'll be accountable for their actions.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
