Bugtraq mailing list archives
Re: cvs security problem
From: Tanaka Akira <akr () M17N ORG>
Date: Sat, 29 Jul 2000 19:32:49 +0900
In article <200007281820.OAA09553 () multics mit edu>, Kev <klmitch () mit edu> writes:
From the CVS info page (Node: Password authentication security): The separate CVS password file (*note Password authentication server::) allows people to use a different password for repository access than for login access. On the other hand, once a user has non-read-only access to the repository, she can execute programs on the server system through a variety of means. Thus, repository access implies fairly broad system access as well. It might be possible to modify CVS to prevent that, but no one has done so as of this writing. (cvs version 1.10.7; I'd be suprised if .8 has changed that much in this respect.)
Yes. But cvs.texinfo has also: | Note also that the commit and update programs work ONLY when using | local repository access - the files simply aren't created when sources | are checked out from a pserver or other remote CVS. So, at least Checkin.prog and Update.prog should not work with remote repository even if there are other way to execute arbitrary programs... (Or, the document should be fixed.) -- Tanaka Akira
Current thread:
- cvs security problem Tanaka Akira (Jul 28)
- Re: cvs security problem Kev (Jul 29)
- Re: cvs security problem Tanaka Akira (Jul 29)
- Re: cvs security problem Greg A. Woods (Jul 29)
- Re: cvs security problem Tanaka Akira (Jul 29)
- Re: cvs security problem Greg A. Woods (Jul 29)
- Re: cvs security problem Tanaka Akira (Jul 29)
- Re: cvs security problem Kev (Jul 29)