Re: to stop commit

[Mark D. Baushke]

<#part sign=pgp sender=0x6B039C51>
Pierre Asselin <address@hidden> writes:

> Mark D. Baushke <address@hidden> wrote:
> 
> > [ ... ]
> > It is even easier than that, setup a anoncvs userid with a shells that
> > only runs the execl('/usr/bin/cvs', 'cvs', 'server', NULL) function and
> > that allows an empty password.
> 
> Which gives everyone the right to run "cvs server" on your machine
> and stuff attacks down its stdin.  This as opposed to running "cvs
> pserver" on your machine and stuffing attacks down its stdin.  Is it
> that much of an improvement?

It means that at most the 'cvs' user will be compromised.

FWIW: I suggest that anonymous cvs readers is best handled in a jail or
chrooted() directory on a mirror of the real repository. Your mileage
may vary...

> For authenticated cvs I see how ssh is more secure... because it
> just is.  Your users can still attack you if they want, but there
> is an audit trail of who connected when.  With anonymous cvs,
> whether through ssh or xinetd, it's basically a given that you
> allow absolutely anyone to run cvs without a lot of traceability.
> 
> 
> > Security of sshd is much higher than security of cvs. The only
> > vulnerability will be that of the user/group you provide for the anoncvs
> > userid instead of the possibility of 'root' in most :pserver:
> > configurations.
> 
> Hmmm, I see.  So the risk is an attacker cracking cvs pserver
> before it calls setuid() ?

Yes.
        -- Mark