[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVS & SSL
From: |
Greg A. Woods |
Subject: |
Re: CVS & SSL |
Date: |
Wed, 23 May 2001 15:44:12 -0400 (EDT) |
[ On Wednesday, May 23, 2001 at 14:39:56 (-0400), Derek R. Price wrote: ]
> Subject: Re: CVS & SSL
>
> I only added code to cvs to exec an external "socket provider" and then run
> a pserver connection over that link. Whether that socket provider is
> cleartext, like say tcpserver, an SSL connection using the same key every
> time, or an SSL connection smart enough to rotate keys like SSH does is
> irrelevant to CVS. This should allow the user some flexibility.
I agree it's more flexible -- I just don't agree that there's any point
in making nay mods to pserver except to remove it entirely.
> Also, in regards to problems from within, I telecommute to work via a cable
> modem. My firewall logs show packets from an entire class A subnet bouncing
> off the wall. I'm guessing that means AT&T is providing something that at
> least _looks_ like a single LAN to something like, at least, my entire
> county of something over 1 million people. Not to rag on them too much, but
> 1 million people probably includes a fair number of teenagers with too much
> time on their hands who might think it an interesting game to sniff
> passwords.
I don't mean to prevent you from protecting yourself and your networks.
But isn't SSH ultimately far better than anything pserver related?
> What alternative do you propose?
SSH, or anything that mimicks it sufficiently, of course!
> > Because this works without setting up a permanent tunnel. That's one
SSH can work that way to, obviously.
> > You're running your builds and sanity.sh as root? What a major major
> > mistake that is! You're probably wide open to remote root-level hacks!
> > (they're just not directly obvious, and a bit harder to hide from
> > audits)
>
> Not at all. I wrote the tests to log in as a bogus username and set up
> CVSROOT/passwd to map to whatever username the script is running as. Thus
> the setuid suceeds...
setuid too? in CVS? grrr...
DO NOT DO ANY SECURITY RELATED THINGS IN CVS!!!!!
--
Greg A. Woods
+1 416 218-0098 VE3TCP <address@hidden> <address@hidden>
Planix, Inc. <address@hidden>; Secrets of the Weird <address@hidden>
- CVS & SSL, Derek R. Price, 2001/05/21
- Re: CVS & SSL, Derek R. Price, 2001/05/21
- Re: CVS & SSL, Greg A. Woods, 2001/05/22
- Re: CVS & SSL, Derek R. Price, 2001/05/22
- Re: CVS & SSL, Greg A. Woods, 2001/05/22
- Re: CVS & SSL, Derek R. Price, 2001/05/23
- Re: CVS & SSL, Greg A. Woods, 2001/05/23
- Re: CVS & SSL, Derek R. Price, 2001/05/23
- Re: CVS & SSL,
Greg A. Woods <=
- Re: CVS & SSL, Derek R. Price, 2001/05/24
- Re: CVS & SSL, Derek R. Price, 2001/05/24
- Re: CVS & SSL, Greg A. Woods, 2001/05/24
- Re: CVS & SSL, Derek R. Price, 2001/05/24
- Re: CVS & SSL, Greg A. Woods, 2001/05/31
- Re: CVS & SSL, Greg A. Woods, 2001/05/31
- Re: CVS & SSL, Derek R. Price, 2001/05/31
- Re: CVS & SSL, Greg A. Woods, 2001/05/31