[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: twisted CVS
From: |
Noel Yap |
Subject: |
Re: twisted CVS |
Date: |
Wed, 14 Aug 2002 07:34:50 -0700 (PDT) |
--- Derek Robert Price <address@hidden> wrote:
> It might have major impact if any of the repository
> files are executable
> and also owned by the root group. Say, if someone
> copied the repository
> in as the root user, then changed the owner to their
> cvs user and left
> the file groups alone.
>
> Executing arbitrary code on the CVS server is
> trivial, but normally
> isn't considered a major risk since it would be
> executed as the cvs
> user. But if code running as the cvs user could
> _then_ edit a setgid
> root file and execute it, it could be trouble.
This is a good point.
I think most OS's today turn off the SUID and SGID
bits once the file is modified but it's much better to
check this situation on your particular OS.
Thanks,
Noel
__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
- Re: twisted CVS, (continued)
- RE: twisted CVS, Brandon Brinkley, 2002/08/13
- RE: twisted CVS, Brandon Brinkley, 2002/08/13
- RE: twisted CVS, Noel Yap, 2002/08/14
- RE: twisted CVS, Noel Yap, 2002/08/14
- Re: twisted CVS, Derek Robert Price, 2002/08/14
- Re: twisted CVS,
Noel Yap <=