[16035] in bugtraq
Re: cvs security problem
daemon@ATHENA.MIT.EDU (Mike Eldridge)
Tue Aug 1 17:15:56 2000
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="1104091574-1112370144-965057966=:25670"
Message-Id: <Pine.LNX.4.10.10007311029010.25670-200000@mail.cafes.net>
Date: Mon, 31 Jul 2000 10:39:26 -0500
Reply-To: Mike Eldridge <diz@CAFES.NET>
From: Mike Eldridge <diz@CAFES.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200007281820.OAA09553@multics.mit.edu>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--1104091574-1112370144-965057966=:25670
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 28 Jul 2000, Kev wrote:
> > I found two security problems in cvs-1.10.8.
>
> >From the CVS info page (Node: Password authentication security):
>
> The separate CVS password file (*note Password authentication
> server::) allows people to use a different password for repository
> access than for login access. On the other hand, once a user has
> non-read-only access to the repository, she can execute programs on the
> server system through a variety of means. Thus, repository access
> implies fairly broad system access as well. It might be possible to
> modify CVS to prevent that, but no one has done so as of this writing.
>
> (cvs version 1.10.7; I'd be suprised if .8 has changed that much in this
> respect.)
>
> This has been the case for quite some time. It would be nice if CVS
> could be made more secure, but it would probably take a lot of work.
A while ago, I wrote a simple cvs wrapper that takes away this "fairly
broad system access" by setuid() and chroot(). This is the easiest method
of limiting access granted by almost anything. Attached is source for the
wrapper. Being only 181 lines long, I should hope there are no blatant
errors in my code, but we all do stupid things. =)
My cvs server has a minimal set of files for a chroot()ed environment.
Following is a listing of my /usr/cvsroot.
It should be noted that cvs was never intended to be secure, but I find
that this wrapper does a nice job of ensuring minimal access.
Mike Eldridge
/usr/cvsroot:
total 6
drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 bin
drwxr-xr-x 9 cvs cvs 1024 Apr 4 14:07 cvsroot
drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 dev
drwxr-xr-x 2 cvs cvs 1024 Jun 1 14:26 etc
drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 lib
drwxr-xr-x 2 cvs cvs 1024 Jul 28 17:14 tmp
bin:
total 479
-rwxr-xr-x 1 cvs cvs 486932 Oct 2 1998 cvs
cvsroot:
total 7
drwxrwxr-x 2 cvs cvs 1024 Jun 1 14:18 CVSROOT
cvsroot/CVSROOT:
total 60
-r--r--r-- 1 cvs cvs 493 Nov 26 1999 checkoutlist
-r--r--r-- 1 cvs cvs 691 Nov 26 1999 checkoutlist,v
-r--r--r-- 1 cvs cvs 760 Nov 26 1999 commitinfo
-r--r--r-- 1 cvs cvs 958 Nov 26 1999 commitinfo,v
-r--r--r-- 1 cvs cvs 364 Nov 26 1999 config
-r--r--r-- 1 cvs cvs 562 Nov 26 1999 config,v
-r--r--r-- 1 cvs cvs 753 Nov 26 1999 cvswrappers
-r--r--r-- 1 cvs cvs 951 Nov 26 1999 cvswrappers,v
-r--r--r-- 1 cvs cvs 1025 Nov 26 1999 editinfo
-r--r--r-- 1 cvs cvs 1223 Nov 26 1999 editinfo,v
-rw-rw-r-- 1 cvs cvs 27000 Jun 9 14:18 history
-r--r--r-- 1 cvs cvs 1141 Nov 26 1999 loginfo
-r--r--r-- 1 cvs cvs 1339 Nov 26 1999 loginfo,v
-r--r--r-- 1 cvs cvs 1151 Nov 26 1999 modules
-r--r--r-- 1 cvs cvs 1349 Nov 26 1999 modules,v
-r--r--r-- 1 cvs cvs 564 Nov 26 1999 notify
-r--r--r-- 1 cvs cvs 762 Nov 26 1999 notify,v
-r--r--r-- 1 cvs cvs 649 Nov 26 1999 rcsinfo
-r--r--r-- 1 cvs cvs 847 Nov 26 1999 rcsinfo,v
-rw-r--r-- 1 root root 5 Jun 1 14:18 readers
-r--r--r-- 1 cvs cvs 879 Nov 26 1999 taginfo
-r--r--r-- 1 cvs cvs 1077 Nov 26 1999 taginfo,v
-r--r--r-- 1 cvs cvs 1026 Nov 26 1999 verifymsg
-r--r--r-- 1 cvs cvs 1224 Nov 26 1999 verifymsg,v
dev:
total 0
crw-rw-rw- 1 cvs cvs 1, 3 May 5 1998 null
etc:
total 2
-rw-r--r-- 1 cvs cvs 98 Nov 26 1999 ld.so.cache
-rw-r--r-- 1 cvs cvs 0 Nov 26 1999 ld.so.conf
-rw-r--r-- 1 cvs cvs 128 Jun 1 14:14 passwd
lib:
total 891
-rwxr-xr-x 1 cvs cvs 40452 Nov 26 1999 ld-2.0.7.so
lrwxrwxrwx 1 cvs cvs 11 Nov 26 1999 ld-linux.so.2 -> ld-2.0.7.so
-rwxr-xr-x 1 cvs cvs 650524 Nov 26 1999 libc-2.0.7.so
lrwxrwxrwx 1 cvs cvs 13 Nov 26 1999 libc.so.6 -> libc-2.0.7.so
-rwxr-xr-x 1 cvs cvs 181993 Oct 13 1998 libcrypt-2.0.7.so
lrwxrwxrwx 1 cvs cvs 17 Nov 26 1999 libcrypt.so.1 -> libcrypt-2.0.7.so
-rwxr-xr-x 1 cvs cvs 30172 Nov 26 1999 libnss_files-2.0.7.so
lrwxrwxrwx 1 cvs cvs 21 Nov 26 1999 libnss_files.so.1 -> libnss_files-2.0.7.so
tmp:
total 0
--1104091574-1112370144-965057966=:25670
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="cvsd.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.10007311039260.25670@mail.cafes.net>
Content-Description: cvs wrapper source
Content-Disposition: attachment; filename="cvsd.c"
LyogY3ZzZC5jDQogKg0KICogQ29uY3VycmVudCBWZXJzaW9uaW5nIFN5c3Rl
bSBEYWVtb24NCiAqIENvcHlyaWdodCAoQykgMTk5OSBNaWtlIEVsZHJpZGdl
DQogKg0KICogVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHdhcmU7IHlvdSBj
YW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkNCiAqIGl0IHVuZGVy
IHRoZSB0ZXJtcyBvZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2Ug
YXMgcHVibGlzaGVkIGJ5DQogKiB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0
aW9uOyBlaXRoZXIgdmVyc2lvbiAyIG9mIHRoZSBMaWNlbnNlLCBvcg0KICog
YW55IGxhdGVyIHZlcnNpb24uDQogKiANCiAqIFRoaXMgcHJvZ3JhbSBpcyBk
aXN0cmlidXRlZCBpbiB0aGUgaG9wZSB0aGF0IGl0IHdpbGwgYmUgdXNlZnVs
LA0KICogYnV0IFdJVEhPVVQgQU5ZIFdBUlJBTlRZOyB3aXRob3V0IGV2ZW4g
dGhlIGltcGxpZWQgd2FycmFudHkgb2YNCiAqIE1FUkNIQU5UQUJJTElUWSBv
ciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRS4gIFNlZSB0aGUN
CiAqIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGZvciBtb3JlIGRldGFp
bHMuDQogKg0KICogWW91IHNob3VsZCBoYXZlIHJlY2VpdmVkIGEgY29weSBv
ZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UNCiAqIGFsb25nIHdp
dGggdGhpcyBwcm9ncmFtOyBpZiBub3QsIHdyaXRlIHRvIHRoZSBGcmVlIFNv
ZnR3YXJlDQogKiBGb3VuZGF0aW9uLCBJbmMuLCA1OSBUZW1wbGUgUGxhY2Ug
LSBTdWl0ZSAzMzAsIEJvc3RvbiwgTUEgMDIxMTEtMTMwNywgVVNBDQogKg0K
ICogJElkJA0KICovDQoNCiNpbmNsdWRlIDxzdGRsaWIuaD4NCiNpbmNsdWRl
IDxzdGRpby5oPg0KI2luY2x1ZGUgPHN0cmluZy5oPg0KDQojaW5jbHVkZSA8
ZXJybm8uaD4NCiNpbmNsdWRlIDxmY250bC5oPg0KI2luY2x1ZGUgPHB3ZC5o
Pg0KI2luY2x1ZGUgPHVuaXN0ZC5oPg0KDQojaW5jbHVkZSA8c3lzL3R5cGVz
Lmg+DQoNCnZvaWQgY2hlY2thcmdzKGludCwgY2hhciAqKik7DQp2b2lkIHJl
YWRjb25maWcoKTsNCmV4dGVybiBjaGFyICoqZW52aXJvbjsNCg0Kc3RhdGlj
IGNoYXIgKmNvbmZpZ2ZpbGUgPSAiL2V0Yy9jdnNkLmNvbmYiOw0Kc3RhdGlj
IGNoYXIgKmN2c3Jvb3QgPSBOVUxMOw0Kc3RhdGljIGNoYXIgKmN2c2JpbiA9
IE5VTEw7DQpzdGF0aWMgc3RydWN0IHBhc3N3ZCAqY3ZzdXNlcjsNCg0KLyog
bWFpbg0KKioNCioqIGFyZ3VtZW50czogIGludCBhcmdjICAgICAgICAoYXJn
dW1lbnQgY291bnQpDQoqKiAgICAgICAgICAgICBjaGFyICphcmd2W10gICAg
KGFyZ3VtZW50IGxpc3QpDQoqKiAgIHJldHVybnM6ICBpbnQgICAgICAgICAg
ICAgKGV4aXQgc3RhdHVzKQ0KKioNCioqIG1haW4sIGR1aCA9KSAgYWZ0ZXIg
cGVyZm9ybWluZyBvdGhlciBmdW5jdGlvbnMsIHdpbGwgY2hyb290KCksIHNl
dHVpZCwgYW5kDQoqKiBtYWtlIGFuIGV4ZWMoKSBjYWxsIHRvIGN2cw0KKi8N
CmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pIHsNCgljaGVja2Fy
Z3MoYXJnYywgYXJndik7DQoJcmVhZGNvbmZpZygpOw0KCQ0KCWlmIChjaGRp
cihjdnNyb290KSA9PSAtMSkgew0KCQlmcHJpbnRmKHN0ZGVyciwgImN2c2Q6
IGVycm9yOiBjb3VsZCBub3QgY2hkaXIoKTogJXNcbiIsIHN0cmVycm9yKGVy
cm5vKSk7DQoJCWV4aXQoMSk7DQoJfQ0KDQoJaWYgKGNocm9vdChjdnNyb290
KSA9PSAtMSkgew0KCQlmcHJpbnRmKHN0ZGVyciwgImN2c2Q6IGVycm9yOiBj
b3VsZCBub3QgY2hyb290KCk6ICVzXG4iLCBzdHJlcnJvcihlcnJubykpOw0K
CQlleGl0KDEpOw0KCX0NCg0KCXNldHVpZChjdnN1c2VyLT5wd191aWQpOw0K
CWV4ZWNsZShjdnNiaW4sICJjdnMiLCAiLS1hbGxvdy1yb290PS9jdnNyb290
IiwgInBzZXJ2ZXIiLCBOVUxMLCBlbnZpcm9uKTsNCglwcmludGYoImN2c2Q6
IGV4ZWMoKSBmYWlsZWQ6ICVzXG4iLCBzdHJlcnJvcihlcnJubykpOw0KCWV4
aXQoMSk7DQp9DQoNCi8qIGNoZWNrYXJncw0KKioNCioqIGFyZ3VtZW50czog
IGludCBhcmdjICAgICAgIChudW1iZXIgb2YgYXJndW1lbnRzKQ0KKiogICAg
ICAgICAgICAgY2hhciAqKmFyZ3YgICAgKGFycmF5IG9mIHN0cmluZ3MsIGFy
Z3VtZW50IHZhbHVlcykNCioqICAgcmV0dXJuczogIHZvaWQNCioqDQoqKiBj
aGVja2FyZ3MgcGFyc2VzIGNvbW1hbmQtbGluZSBvcHRpb25zIHVzaW5nIGdl
dG9wdCgpDQoqLw0Kdm9pZCBjaGVja2FyZ3MoaW50IGFyZ2MsIGNoYXIgKiph
cmd2KSB7DQoJaW50IG9wdDsgLyogb3B0aW9uIHZhbHVlICovDQoNCgl3aGls
ZSAoKG9wdCA9IGdldG9wdChhcmdjLCBhcmd2LCAiYzoiKSkgPiAwKSB7DQoJ
CXN3aXRjaCAob3B0KSB7DQoJCQljYXNlICdjJzoNCgkJCQljb25maWdmaWxl
ID0gb3B0YXJnOw0KCQkJCWJyZWFrOw0KCQkJZGVmYXVsdDoNCgkJCQlwcmlu
dGYoInVzYWdlOiAlcyBbLWMgPGNvbmZpZyBmaWxlPl1cbiIsIGFyZ3ZbMF0p
Ow0KCQkJCWV4aXQoMCk7DQoJCQkJYnJlYWs7DQoJCX0NCgl9DQp9DQoNCi8q
IHJlYWRjb25maWcNCioqDQoqKiBhcmd1bWVudHM6ICBub25lDQoqKiAgIHJl
dHVybnM6ICB2b2lkDQoqKg0KKiogcmVhZGNvbmZpZyB3aWxsIHJlYWQgaW4g
dGhlIGNvbmZpZ3VyYXRpb24gZmlsZSBwb2ludGVkIHRvIGJ5IGNvbmZpZ2Zp
bGUsDQoqKiBkZWZhdWx0aW5nIHRvIC9ldGMvY3ZzZC5jb25mLCBzZXQgdXNp
bmcgLWMgb24gdGhlIGNvbW1hbmQgbGluZQ0KKi8NCnZvaWQgcmVhZGNvbmZp
ZygpIHsNCglGSUxFICpmZDsJCQkJLyogZmlsZSBzdHJlYW0gKi8NCgljaGFy
ICpzdHJpbmc7CQkJLyogc3RyaW5nIGhvbGRpbmcgaW5wdXQgZnJvbSBmaWxl
ICovDQoJY2hhciAqdG9rZW47CQkJLyogc3Vic3RyaW5nIHRva2VuICovDQoJ
Y2hhciAqa2V5OwkJCQkvKiBjb25maWd1cmF0aW9uIG9wdGlvbiBuYW1lICov
DQoJY2hhciAqdmFsdWU7CQkJLyogY29uZmlndXJhdGlvbiBvcHRpb24gdmFs
dWUgKi8NCgljaGFyICpkZWxpbSA9ICJcdCI7CQkvKiBwb2ludGVyIHRvIHRo
ZSBkZWxpbWl0aW5nIGNoYXJhY3RlciAodGFiKSAqLw0KCWNoYXIgKmN2c3Vz
ZXJuYW1lOwkJLyogdXNlciB0byBydW4gYXMgKi8NCg0KCWlmICgoZmQgPSBm
b3Blbihjb25maWdmaWxlLCAiciIpKSA9PSBOVUxMKSB7DQoJCXByaW50Zigi
Y3ZzZDogZXJyb3I6IGNhbm5vdCBvcGVuICVzOiAlc1xuIiwgY29uZmlnZmls
ZSwgc3RyZXJyb3IoZXJybm8pKTsNCgkJZXhpdCgxKTsNCgl9DQoNCglzdHJp
bmcgPSAoY2hhciAqKSBtYWxsb2MoNDA5Nik7IC8qIGFsbG9jYXRlIG1lbW9y
eSBmb3IgZmlsZSBpbnB1dCAqLw0KDQoJLyogbG9vcCwgcHVsbGluZyBsaW5l
cyBmcm9tIHRoZSBmaWxlICovDQoJd2hpbGUgKGZnZXRzKHN0cmluZywgNDA5
NiwgZmQpICE9IE5VTEwpIHsNCgkJa2V5ID0gTlVMTDsJCS8qIG51bGwgcG9p
bnRlciAqLw0KCQl2YWx1ZSA9IE5VTEw7CS8qIG51bGwgcG9pbnRlciAqLw0K
CQlzdHJpbmdbc3RybGVuKHN0cmluZykgLSAxXSA9ICdcMCc7IC8qIHN0cmlw
IFxuICovDQoJCS8qIGlnbm9yZSBibGFuayBhbmQgY29tbWVudGVkIGxpbmVz
ICovDQoJCWlmIChzdHJpbmdbMF0gIT0gJyMnICYmIHN0cmxlbihzdHJpbmcp
ID4gMSkgew0KCQkJLyogbG9vcCwgcHVsbGluZyBcdC1kZWxpbWl0ZWQgdG9r
ZW5zIGZyb20gdGhlIHN0cmluZyAqLw0KCQkJd2hpbGUgKHN0cmluZyAhPSBO
VUxMKSB7DQoJCQkJdG9rZW4gPSBzdHJzZXAoJnN0cmluZywgZGVsaW0pOyAv
KiBuZXh0IHRva2VuICovDQoJCQkJLyogY2hlY2sgdG8gbWFrZSBzdXJlIGEg
c3RyaW5nIHdhcyBncmFiYmVkLCBub3Qgb25lIGNoYXJhY3RlciAqLw0KCQkJ
CWlmIChzdHJsZW4odG9rZW4pID4gMSkgew0KCQkJCQkvKiBpZiBrZXkgaXMg
YWxyZWFkeSBkZWZpbmVkIGFuZCB2YWx1ZSBpcyBub3QsIHRoZW4gb3VyDQoJ
CQkJCSAqIHRva2VuIGlzIHRoZSB2YWx1ZSAqLw0KCQkJCQlpZiAoa2V5ICE9
IE5VTEwgJiYgdmFsdWUgPT0gTlVMTCkNCgkJCQkJCXZhbHVlID0gdG9rZW47
DQoJCQkJCS8qIGlmIGtleSBpcyBub3QgZGVmaW5lZCwgdGhlbiBvdXIgdG9r
ZW4gaXMgdGhlIGtleSBuYW1lICovDQoJCQkJCWlmIChrZXkgPT0gTlVMTCkN
CgkJCQkJCWtleSA9IHRva2VuOw0KCQkJCX0NCgkJCX0NCg0KCQkJLyogY3Zz
cm9vdCAqLw0KCQkJaWYgKHN0cmNtcChrZXksICJyb290IikgPT0gMCkNCgkJ
CQljdnNyb290ID0gdmFsdWU7DQoJCQkvKiBjdnNiaW4gKi8NCgkJCWlmIChz
dHJjbXAoa2V5LCAiY3ZzYmluIikgPT0gMCkNCgkJCQljdnNiaW4gPSB2YWx1
ZTsNCgkJCS8qIGN2c3VzZXIgKi8NCgkJCWlmIChzdHJjbXAoa2V5LCAiY3Zz
dXNlciIpID09IDApDQoJCQkJY3ZzdXNlcm5hbWUgPSB2YWx1ZTsNCgkJfQ0K
CQ0KCQlmcmVlKHN0cmluZyk7IC8qIG1lbW9yeSBjbGVhbnVwICovDQoJCXN0
cmluZyA9IChjaGFyICopIG1hbGxvYyg0MDk2KTsgLyogbmV3IHN0cmluZyBm
b3IgZmlsZSBpbnB1dCAqLw0KCX0NCglmcmVlKHN0cmluZyk7IC8qIG1lbW9y
eSBjbGVhbnVwICovDQoNCgkvKiBtYWtlIHN1cmUgY3ZzIHJvb3QgaXMgZGVm
aW5lZCAqLw0KCWlmIChjdnNyb290ID09IE5VTEwpIHsNCgkJZnByaW50Zihz
dGRlcnIsICJjdnNkOiBlcnJvcjogY3Zzcm9vdCBub3QgZGVmaW5lZCBpbiAl
c1xuIiwgY29uZmlnZmlsZSk7DQoJCWV4aXQoMSk7DQoJfQ0KDQoJLyogbWFr
ZSBzdXJlIGN2cyBiaW5hcnkgcGF0aCBpcyBkZWZpbmVkICovDQoJaWYgKGN2
c2JpbiA9PSBOVUxMKSB7DQoJCWZwcmludGYoc3RkZXJyLCAiY3ZzZDogZXJy
b3I6IGN2c2JpbiBub3QgZGVmaW5lZCBpbiAlc1xuIiwgY29uZmlnZmlsZSk7
DQoJCWV4aXQoMSk7DQoJfQ0KCQ0KCS8qIG1ha2Ugc3VyZSB1c2VyIHRvIHJ1
biBhcyBpcyBkZWZpbmVkICovDQoJaWYgKGN2c3VzZXJuYW1lID09IE5VTEwp
IHsNCgkJZnByaW50ZihzdGRlcnIsICJjdnNkOiBlcnJvcjogY3ZzdXNlciBu
b3QgZGVmaW5lZCBpbiAlc1xuIiwgY29uZmlnZmlsZSk7DQoJCWV4aXQoMSk7
DQoJfQ0KDQoJLyogZ2V0IHVpZCwgaW5mb3JtYXRpb24gZm9yIHVzZXIgdG8g
cnVuIGFzLCBxdWl0IGlmIGVycm9yICovDQoJaWYgKChjdnN1c2VyID0gZ2V0
cHduYW0oY3ZzdXNlcm5hbWUpKSA9PSBOVUxMKSB7DQoJCWZwcmludGYoc3Rk
ZXJyLCAiY3ZzZDogZXJyb3I6IHVzZXIgJXMgZG9lcyBub3QgZXhpc3RcbiIs
IGN2c3VzZXJuYW1lKTsNCgkJZXhpdCgxKTsNCgl9DQp9DQo=
--1104091574-1112370144-965057966=:25670--
