info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS & SSL


From: Greg A. Woods
Subject: Re: CVS & SSL
Date: Wed, 23 May 2001 15:44:12 -0400 (EDT)

[ On Wednesday, May 23, 2001 at 14:39:56 (-0400), Derek R. Price wrote: ]
> Subject: Re: CVS & SSL
>
> I only added code to cvs to exec an external "socket provider" and then run
> a pserver connection over that link.  Whether that socket provider is
> cleartext, like say tcpserver, an SSL connection using the same key every
> time, or an SSL connection smart enough to rotate keys like SSH does is
> irrelevant to CVS.  This should allow the user some flexibility.

I agree it's more flexible -- I just don't agree that there's any point
in making nay mods to pserver except to remove it entirely.
 
> Also, in regards to problems from within, I telecommute to work via a cable
> modem.  My firewall logs show packets from an entire class A subnet bouncing
> off the wall.  I'm guessing that means AT&T is providing something that at
> least _looks_ like a single LAN to something like, at least, my entire
> county of something over 1 million people.  Not to rag on them too much, but
> 1 million people probably includes a fair number of teenagers with too much
> time on their hands who might think it an interesting game to sniff
> passwords.

I don't mean to prevent you from protecting yourself and your networks.

But isn't SSH ultimately far better than anything pserver related?
 
> What alternative do you propose?

SSH, or anything that mimicks it sufficiently, of course!

> > Because this works without setting up a permanent tunnel.  That's one

SSH can work that way to, obviously.

> > You're running your builds and sanity.sh as root?  What a major major
> > mistake that is!  You're probably wide open to remote root-level hacks!
> > (they're just not directly obvious, and a bit harder to hide from
> > audits)
> 
> Not at all.  I wrote the tests to log in as a bogus username and set up
> CVSROOT/passwd to map to whatever username the script is running as.  Thus
> the setuid suceeds...

setuid too?  in CVS?  grrr...

DO NOT DO ANY SECURITY RELATED THINGS IN CVS!!!!!

-- 
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <address@hidden>     <address@hidden>
Planix, Inc. <address@hidden>;   Secrets of the Weird <address@hidden>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]