Bugtraq mailing list archives

Re: cvs security problem

From: "Greg A. Woods" <woods () weird com>
Date: Fri, 28 Jul 2000 16:03:15 -0400

[ On Friday, July 28, 2000 at 17:21:28 (+0900), Tanaka Akira wrote: ]

Subject: cvs security problem

I found two security problems in cvs-1.10.8.

(1) A committer can execute any binary in server using
    CVS/Checkin.prog or CVS/Update.prog.


Yeah.  So?  This is meaningless.  CVS is not designed to prevent this.
In fact quite the opposite -- it is assumed that CVS users with commit
access do have shell access to the CVS server.

In fact normally the "cvspserver" method of accessing a CVS repository
should only ever be used for anonymous read-only access, and even then
it is well known that shell access to the server may be possible (under
the user-id that the cvspserver daemon runs as, of course).

A properly configured CVS server will use a secure remote execution
facility (such as SSH) which by definition means that any committer will
have shell access to the server, but of course only under a properly
authorised user-id -- i.e. they'll be accountable for their actions.

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>

Current thread:

cvs security problem Tanaka Akira (Jul 28)
- Re: cvs security problem Kev (Jul 29)
  - Re: cvs security problem Tanaka Akira (Jul 29)
- Re: cvs security problem Greg A. Woods (Jul 29)
  - Re: cvs security problem Tanaka Akira (Jul 29)
    - Re: cvs security problem Greg A. Woods (Jul 29)