Bugtraq mailing list archives
Somewhat of a security hole in CVS
From: sopwith () REDHAT COM (Elliot Lee)
Date: Fri, 29 Aug 1997 12:08:48 -0400
If you run the CVS pserver as per the instructions in the CVS info page (running it as root from inetd) anyone can get access to any account except root (and perhaps root too - there may be CVS commands that run scripts and don't check if uid == 0). If you don't run it as root they can still get full access to the repository. Basically, the luser makes their own CVS repository with a "customized" password file, changes commitinfo so it runs a "chmod 6555 /bin/sh" script, and does a commit of something. This is more of a site configuration problem than anything else - it's not really a weakness inherent in CVS(?). A patch to server.c to limit usage of the 'Repository' and 'Directory' commands to only those listed in /etc/cvs-repositories might be useful, but I'm not sure how thorough that would be. Of course, having someone do a complete security audit of CVS wouldn't hurt either ;-) It is becoming increasingly used on the 'net for software distribution - the OpenBSD project being an example - and it lacks some basic features, such as integrated anonymous user support (without having to make a separate user and run the server as root, or enable rsh/ssh access), that it could use. Hope this helps, -- Elliot - http://www.redhat.com/ What's nice about GUI is that you see what you manipulate. What's bad about GUI is that you can only manipulate what you see. | http://www.cauce.org/ | http://www.linuxnet.org/ |
Current thread:
- Re: syslogd fun (erratum) Yuri Volobuev (Aug 28)
- Having fun with eggdrop bot Giuliano COCAINE (Aug 28)
- Re: Having fun with eggdrop bot The Nolander (Aug 29)
- Re: Having fun with eggdrop bot -*- Chotaire -*- (Aug 29)
- DDB/securelevel Aleph One (Aug 30)
- Re: DDB/securelevel Andrew Brown (Aug 30)
- Mac TCP/IP Stack glitch. nomad () APOLLO TOMCO NET (Aug 31)
- Re: Having fun with eggdrop bot The Nolander (Aug 29)
- Having fun with eggdrop bot Giuliano COCAINE (Aug 28)
- Re: syslogd fun (erratum) Theo de Raadt (Aug 28)
- SGI security patches Martin J. Dellwo (Aug 29)
- Somewhat of a security hole in CVS Elliot Lee (Aug 29)
- Re: Somewhat of a security hole in CVS Theo de Raadt (Aug 29)
- Re: Somewhat of a security hole in CVS Marc Slemko (Aug 29)
- rpm 2.4.6 (with /tmp fixes) Erik Troan (Aug 29)