Bugtraq mailing list archives
Re: cvs security problem
From: Mike Eldridge <diz () CAFES NET>
Date: Mon, 31 Jul 2000 10:39:26 -0500
On Fri, 28 Jul 2000, Kev wrote:
I found two security problems in cvs-1.10.8.From the CVS info page (Node: Password authentication security):The separate CVS password file (*note Password authentication server::) allows people to use a different password for repository access than for login access. On the other hand, once a user has non-read-only access to the repository, she can execute programs on the server system through a variety of means. Thus, repository access implies fairly broad system access as well. It might be possible to modify CVS to prevent that, but no one has done so as of this writing. (cvs version 1.10.7; I'd be suprised if .8 has changed that much in this respect.) This has been the case for quite some time. It would be nice if CVS could be made more secure, but it would probably take a lot of work.
A while ago, I wrote a simple cvs wrapper that takes away this "fairly broad system access" by setuid() and chroot(). This is the easiest method of limiting access granted by almost anything. Attached is source for the wrapper. Being only 181 lines long, I should hope there are no blatant errors in my code, but we all do stupid things. =) My cvs server has a minimal set of files for a chroot()ed environment. Following is a listing of my /usr/cvsroot. It should be noted that cvs was never intended to be secure, but I find that this wrapper does a nice job of ensuring minimal access. Mike Eldridge /usr/cvsroot: total 6 drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 bin drwxr-xr-x 9 cvs cvs 1024 Apr 4 14:07 cvsroot drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 dev drwxr-xr-x 2 cvs cvs 1024 Jun 1 14:26 etc drwxr-xr-x 2 cvs cvs 1024 Nov 26 1999 lib drwxr-xr-x 2 cvs cvs 1024 Jul 28 17:14 tmp bin: total 479 -rwxr-xr-x 1 cvs cvs 486932 Oct 2 1998 cvs cvsroot: total 7 drwxrwxr-x 2 cvs cvs 1024 Jun 1 14:18 CVSROOT cvsroot/CVSROOT: total 60 -r--r--r-- 1 cvs cvs 493 Nov 26 1999 checkoutlist -r--r--r-- 1 cvs cvs 691 Nov 26 1999 checkoutlist,v -r--r--r-- 1 cvs cvs 760 Nov 26 1999 commitinfo -r--r--r-- 1 cvs cvs 958 Nov 26 1999 commitinfo,v -r--r--r-- 1 cvs cvs 364 Nov 26 1999 config -r--r--r-- 1 cvs cvs 562 Nov 26 1999 config,v -r--r--r-- 1 cvs cvs 753 Nov 26 1999 cvswrappers -r--r--r-- 1 cvs cvs 951 Nov 26 1999 cvswrappers,v -r--r--r-- 1 cvs cvs 1025 Nov 26 1999 editinfo -r--r--r-- 1 cvs cvs 1223 Nov 26 1999 editinfo,v -rw-rw-r-- 1 cvs cvs 27000 Jun 9 14:18 history -r--r--r-- 1 cvs cvs 1141 Nov 26 1999 loginfo -r--r--r-- 1 cvs cvs 1339 Nov 26 1999 loginfo,v -r--r--r-- 1 cvs cvs 1151 Nov 26 1999 modules -r--r--r-- 1 cvs cvs 1349 Nov 26 1999 modules,v -r--r--r-- 1 cvs cvs 564 Nov 26 1999 notify -r--r--r-- 1 cvs cvs 762 Nov 26 1999 notify,v -r--r--r-- 1 cvs cvs 649 Nov 26 1999 rcsinfo -r--r--r-- 1 cvs cvs 847 Nov 26 1999 rcsinfo,v -rw-r--r-- 1 root root 5 Jun 1 14:18 readers -r--r--r-- 1 cvs cvs 879 Nov 26 1999 taginfo -r--r--r-- 1 cvs cvs 1077 Nov 26 1999 taginfo,v -r--r--r-- 1 cvs cvs 1026 Nov 26 1999 verifymsg -r--r--r-- 1 cvs cvs 1224 Nov 26 1999 verifymsg,v dev: total 0 crw-rw-rw- 1 cvs cvs 1, 3 May 5 1998 null etc: total 2 -rw-r--r-- 1 cvs cvs 98 Nov 26 1999 ld.so.cache -rw-r--r-- 1 cvs cvs 0 Nov 26 1999 ld.so.conf -rw-r--r-- 1 cvs cvs 128 Jun 1 14:14 passwd lib: total 891 -rwxr-xr-x 1 cvs cvs 40452 Nov 26 1999 ld-2.0.7.so lrwxrwxrwx 1 cvs cvs 11 Nov 26 1999 ld-linux.so.2 -> ld-2.0.7.so -rwxr-xr-x 1 cvs cvs 650524 Nov 26 1999 libc-2.0.7.so lrwxrwxrwx 1 cvs cvs 13 Nov 26 1999 libc.so.6 -> libc-2.0.7.so -rwxr-xr-x 1 cvs cvs 181993 Oct 13 1998 libcrypt-2.0.7.so lrwxrwxrwx 1 cvs cvs 17 Nov 26 1999 libcrypt.so.1 -> libcrypt-2.0.7.so -rwxr-xr-x 1 cvs cvs 30172 Nov 26 1999 libnss_files-2.0.7.so lrwxrwxrwx 1 cvs cvs 21 Nov 26 1999 libnss_files.so.1 -> libnss_files-2.0.7.so tmp: total 0
Attachment:
cvsd.c
Description: cvs wrapper source
Current thread:
- Re: cvs security problem Mike Eldridge (Aug 01)
- <Possible follow-ups>
- Re: cvs security problem sama (Aug 01)
- Re: cvs security problem Brian Behlendorf (Aug 01)
- Re: cvs security problem Greg A. Woods (Aug 01)
- Re: cvs security problem Greg A. Woods (Aug 01)