Bugtraq mailing list archives
Re: Somewhat of a security hole in CVS
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Fri, 29 Aug 1997 11:51:35 -0600
Of course, having someone do a complete security audit of CVS wouldn't hurt either ;-)
I looked at it a bit. It was above the quality of most GNU software. I didn't pay any attention to pserver because I think it's yet-another cleartext login method, and hence I would never use it.
It is becoming increasingly used on the 'net for software distribution - the OpenBSD project being an example - and it lacks some basic features, such as integrated anonymous user support (without having to make a separate user and run the server as root,
We've had people in our group try to use pserver. When they did, they needed to make a change to the cvs source to permit anonymous user access. We actually prefer to use ssh/rsh access for the anoncvs servers, and we have a chroot wrapper that starts the cvs command up within a chroot space. It's basically as secure as ftpd's use of chroot. And if they get a shell, they discover that the entire chroot space is read-only.
Current thread:
- Re: syslogd fun (erratum) Yuri Volobuev (Aug 28)
- Having fun with eggdrop bot Giuliano COCAINE (Aug 28)
- Re: Having fun with eggdrop bot The Nolander (Aug 29)
- Re: Having fun with eggdrop bot -*- Chotaire -*- (Aug 29)
- DDB/securelevel Aleph One (Aug 30)
- Re: DDB/securelevel Andrew Brown (Aug 30)
- Mac TCP/IP Stack glitch. nomad () APOLLO TOMCO NET (Aug 31)
- Re: Having fun with eggdrop bot The Nolander (Aug 29)
- Having fun with eggdrop bot Giuliano COCAINE (Aug 28)
- Re: syslogd fun (erratum) Theo de Raadt (Aug 28)
- SGI security patches Martin J. Dellwo (Aug 29)
- Somewhat of a security hole in CVS Elliot Lee (Aug 29)
- Re: Somewhat of a security hole in CVS Theo de Raadt (Aug 29)
- Re: Somewhat of a security hole in CVS Marc Slemko (Aug 29)
- rpm 2.4.6 (with /tmp fixes) Erik Troan (Aug 29)