Bugtraq mailing list archives
Re: CVS DoS
From: kris () FREEBSD ORG (Kris Kennaway)
Date: Mon, 1 May 2000 02:55:52 -0700
On Mon, 24 Apr 2000, Kris Kennaway wrote:
On Mon, 24 Apr 2000, Kris Kennaway wrote:of the filesystem used by CVS to maintain its lock state. It's also not quite as serious as it might first sound, because anyone who can legitimately connect to the CVS server remotely via CVS can cause a lock to be taken out over any part of the repository, with the same effect.Sorry, but on further thought I don't think this is true. Locks are only acquired for CVS write operations, not read operations.
No, I was right the first time (pointed out to me by Peter Jeremy <Peter.Jeremy () alcatel com au>) - both read and write operations will cause file lock creation. However, on FreeBSD, cvs clients can always use -R (readonly) for checkouts, which will bypass any locking on the server (this will therefore usually be much faster as well, since the client doesn't have to lock as it traverses). So a malicious local user who creates faked lock files in /tmp will only hurt external checkins, and one could argue that you shouldn't be hosting your writable CVS repository on a host which contains malicious users (or allows anonymous access), as a matter of policy. Kris ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe <forsythe () alum mit edu>
Current thread:
- Re: CVS DoS Kris Kennaway (May 01)
- <Possible follow-ups>
- Re: CVS DoS Hannah Schröter (May 02)