Bugtraq mailing list archives
Re: cvs security problem
From: "Greg A. Woods" <woods () weird com>
Date: Mon, 31 Jul 2000 09:37:52 -0400
[ On , July 31, 2000 at 15:02:40 (+0900), Tanaka Akira wrote: ]
Subject: Re: cvs security problem I think shell access is too dangerous. If shell access is possible, crackers can install dangerous programs to crack other machines. So, the assumption is unacceptable for me.
Shell access is not "dangerous" if it's done properly. A properly secured annonymous CVS server will not be trusted by any other systems and it will not have enough tools installed on it to to be of any use to the cracker. Neither will it reside on a network segment where sensitive traffic passes by. It will be monitored regularly and automatically for unauthorised use, and the integrity of the CVS repository it serves will be regularly and automatically verified.
Hm... I found another one with few hours investigating. I agree that it's very insecure.
PLEASE TRY TO UNDERSTAND: CVS is not insecure, _by_definition_! CVS is DESIGNED *ONLY* to be used by people with shell access!!!! This fact *MUST* be taken into account by *everyone* who sets up annonymous CVS servers! I.e. you MUST assume that a determined cracker will eventually be able to gain shell access to your anonymous CVS server and you must take the precautions outlined above if you wish to protect it. The only potential security problem with CVS is that the manual might not stress this semi-obvious fact strongly enough. Perhaps if the inherently insecure cvspserver support were ripped out of it (it *NEVER* should have been added in the first place!), this wouldn't be an issue. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: cvs security problem Mike Eldridge (Aug 01)
- <Possible follow-ups>
- Re: cvs security problem sama (Aug 01)
- Re: cvs security problem Brian Behlendorf (Aug 01)
- Re: cvs security problem Greg A. Woods (Aug 01)
- Re: cvs security problem Greg A. Woods (Aug 01)