Bugtraq mailing list archives
Re: Somewhat of a security hole in CVS
From: marcs () ZNEP COM (Marc Slemko)
Date: Fri, 29 Aug 1997 12:37:31 -0600
On Fri, 29 Aug 1997, Theo de Raadt wrote:
Of course, having someone do a complete security audit of CVS wouldn't hurt either ;-)I looked at it a bit. It was above the quality of most GNU software. I didn't pay any attention to pserver because I think it's yet-another cleartext login method, and hence I would never use it.
Sending passwords across the network in cleartext is the least of your worries with pserver. Two bigger concerns are that it runs on a unprivileged port from inetd which means on most systems you can steal connections away from it and grab the passwords (ok, so OpenBSD and some other OSes will stop you from rebinding to the port as a different uid, but all you have to do is make inetd give up and release it) and that the password used for access is stored unencrypted (trivially encoded, but not encrypted) on the local disk.
We actually prefer to use ssh/rsh access for the anoncvs servers, and we have a chroot wrapper that starts the cvs command up within a chroot space. It's basically as secure as ftpd's use of chroot. And if they get a shell, they discover that the entire chroot space is read-only.
pserver is easy to setup that way too, assuming you already have read-only hacks in CVS such as the ones the OpenBSD source has. I prefer pserver to ssh for anoncvs because connection establishment time is lower. rsh is reasonable, but if you don't allow rsh connects to your machine... That all assumes, of course, that you aren't concered about getting hacked source from someone pretending to be the server. If you are, ssh is obviously the way to go. For real commit access to the repository, ssh is the best solution I have found. On Fri, 29 Aug 1997, Elliot Lee wrote:
If you run the CVS pserver as per the instructions in the CVS info page (running it as root from inetd) anyone can get access to any account except root (and perhaps root too - there may be CVS commands that run scripts and don't check if uid == 0). If you don't run it as root they can still get full access to the repository.
This is old news. The latest cvs (1.9.14, perhaps .10 as well) has a --allow-root option that needs to be passed to it on the command line to tell you what repositires to allow access to. Then, of course, you have to be sure that $CVSROOT, $CVSROOT/CVSROOT and $CVSROOT/CVSROOT/* are not writable by anyone who shouldn't have root. Don't trust pserver is my best recommendation.
Current thread:
- Having fun with eggdrop bot, (continued)
- Having fun with eggdrop bot Giuliano COCAINE (Aug 28)
- Re: Having fun with eggdrop bot The Nolander (Aug 29)
- Re: Having fun with eggdrop bot -*- Chotaire -*- (Aug 29)
- DDB/securelevel Aleph One (Aug 30)
- Re: DDB/securelevel Andrew Brown (Aug 30)
- Mac TCP/IP Stack glitch. nomad () APOLLO TOMCO NET (Aug 31)
- Re: Having fun with eggdrop bot The Nolander (Aug 29)
- Having fun with eggdrop bot Giuliano COCAINE (Aug 28)
- Re: syslogd fun (erratum) Theo de Raadt (Aug 28)
- SGI security patches Martin J. Dellwo (Aug 29)
- Somewhat of a security hole in CVS Elliot Lee (Aug 29)
- Re: Somewhat of a security hole in CVS Theo de Raadt (Aug 29)
- Re: Somewhat of a security hole in CVS Marc Slemko (Aug 29)
- rpm 2.4.6 (with /tmp fixes) Erik Troan (Aug 29)