Re: CVS DoS

[kris () FREEBSD ORG (Kris Kennaway)]

On Mon, 24 Apr 2000, Kris Kennaway wrote:

> On Mon, 24 Apr 2000, Kris Kennaway wrote:
>
> > of the filesystem used by CVS to maintain its lock state. It's also not
> > quite as serious as it might first sound, because anyone who can
> > legitimately connect to the CVS server remotely via CVS can cause a lock
> > to be taken out over any part of the repository, with the same effect.
>
> Sorry, but on further thought I don't think this is true. Locks are only
> acquired for CVS write operations, not read operations.

No, I was right the first time (pointed out to me by Peter Jeremy
<Peter.Jeremy () alcatel com au>) - both read and write operations will cause
file lock creation.

However, on FreeBSD, cvs clients can always use -R (readonly) for
checkouts, which will bypass any locking on the server (this will
therefore usually be much faster as well, since the client doesn't have to
lock as it traverses). So a malicious local user who creates faked lock
files in /tmp will only hurt external checkins, and one could argue that
you shouldn't be hosting your writable CVS repository on a host which
contains malicious users (or allows anonymous access), as a matter of
policy.

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe () alum mit edu>