Bugtraq mailing list archives
Re: CVS woes: .cvspass
From: "Greg A. Woods" <woods () weird com>
Date: Tue, 27 Jul 2004 16:20:10 -0400 (EDT)
[ On Tuesday, July 27, 2004 at 03:00:52 (+0900), Chiaki wrote: ]
Subject: CVS woes: .cvspass The file revision control system, CVS, stores often used server's password in users .cvspass file. (When we use pserver mode to set up a central repository and access it from remote workstations, that is.)
Anyone using the CVS pserver mechanism for anything other than totally
anonymous access gets only what they deserve.
If you want to keep your CVS repository secure then don't try to use CVS
as a security tool -- it wasn't designed for it, and it cannot be
"fixed" either (it's not a bug -- CVS is a version control tool, not a
security tool and CVS is designed _only_ to be executed by the unique
user performing operations on repository).
Use SSH or some other secure remote job execution tool to create a
secure connection for CVS to work with.
--
Greg A. Woods
+1 416 218-0098 VE3TCP RoboHack <woods () robohack ca>
Planix, Inc. <woods () planix com> Secrets of the Weird <woods () weird com>
Current thread:
- CVS woes: .cvspass Chiaki (Jul 26)
- Re: CVS woes: .cvspass Valdis . Kletnieks (Jul 27)
- Re: CVS woes: .cvspass Andreas Beck (Jul 28)
- Re: CVS woes: .cvspass Greg A. Woods (Jul 27)
- Re: CVS woes: .cvspass Delian Krustev (Jul 30)
- Re: CVS woes: .cvspass Valdis . Kletnieks (Jul 27)