Re: Webserver CVS (In)Security

[Andrew Brown <atatat () atatdot net>]

> A lot of people use CVS to manage their web content. It's a great way to
> keep track of changes, and makes updating and rollbacks a very easy
> thing to do.
>
> ..BUT (there's always a but) this can be a _huge_ security risk.
>
> When I finally decided to manage my web content with CVS, I noticed
> something about the directory layout (after running a `cvs up`) of my
> website; there were a bunch of CVS directories with files in them. I
> always knew they were there when working with CVS (those files are the
> way CVS keeps track of versions and what not), but I never paid any mind
> to them.. until today.
>
> I opened up Mozilla and went to my website with a /CVS appended to the
> URL. Since I have Apache setup to disallow directory listings, I didn't
> get anything. Then I added /CVS/Entries to the URL. Two words came to
> mind: Uh-oh. The Entries file gave a complete listing of my webroot. It
> was like having ls(1) running on my webserver. The Entries file showed
> all the files and directories people normally wouldn't be able to see or
> even scan for. It would seem that having the directory listing option
> disabled in my httpd.conf didn't matter anymore.
> ...

keep two trees.

tree 1 (let's call it /foo/cvs) is a copy of the cvs material with all
the cvs subdirs and meta-files in it.

tree 2 (let's call it /foo/www) is updated as follows whenever you cvs
update tree 1, or whatever you do to maintain it.

        % cd /foo/cvs
        % rsync -CHar --delete . /foo/www

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior () daemon org             * "ah!  i see you have the internet
twofsonet () graffiti com (Andrew Brown)                that goes *ping*!"
werdna () squooshy com       * "information is power -- share the wealth."