Re: Somewhat of a security hole in CVS

Marc Slemko (marcs@ZNEP.COM)
Fri, 29 Aug 1997 12:37:31 -0600

On Fri, 29 Aug 1997, Theo de Raadt wrote:

> > Of course, having someone do a complete security audit of CVS wouldn't
> > hurt either ;-)
>
> I looked at it a bit. It was above the quality of most GNU software.
> I didn't pay any attention to pserver because I think it's yet-another
> cleartext login method, and hence I would never use it.

Sending passwords across the network in cleartext is the least of your
worries with pserver. Two bigger concerns are that it runs on a
unprivileged port from inetd which means on most systems you can steal
connections away from it and grab the passwords (ok, so OpenBSD and some
other OSes will stop you from rebinding to the port as a different uid,
but all you have to do is make inetd give up and release it) and that the
password used for access is stored unencrypted (trivially encoded, but not
encrypted) on the local disk.

> We actually prefer to use ssh/rsh access for the anoncvs servers, and
> we have a chroot wrapper that starts the cvs command up within a
> chroot space. It's basically as secure as ftpd's use of chroot. And
> if they get a shell, they discover that the entire chroot space is
> read-only.

pserver is easy to setup that way too, assuming you already have read-only
hacks in CVS such as the ones the OpenBSD source has. I prefer pserver to
ssh for anoncvs because connection establishment time is lower. rsh is
reasonable, but if you don't allow rsh connects to your machine...

That all assumes, of course, that you aren't concered about getting hacked
source from someone pretending to be the server. If you are, ssh is
obviously the way to go. For real commit access to the repository,
ssh is the best solution I have found.

On Fri, 29 Aug 1997, Elliot Lee wrote:

> If you run the CVS pserver as per the instructions in the CVS info page
> (running it as root from inetd) anyone can get access to any account
> except root (and perhaps root too - there may be CVS commands that run
> scripts and don't check if uid == 0). If you don't run it as root they can
> still get full access to the repository.

This is old news. The latest cvs (1.9.14, perhaps .10 as well) has
a --allow-root option that needs to be passed to it on the command line
to tell you what repositires to allow access to. Then, of course, you
have to be sure that $CVSROOT, $CVSROOT/CVSROOT and $CVSROOT/CVSROOT/*
are not writable by anyone who shouldn't have root.

Don't trust pserver is my best recommendation.