This was forwarded to miscat_private I don't remember seeing anything about this in the past. Pardon the headers. -Jon ---------- Forwarded message ---------- Date: Thu, 13 Aug 1998 13:37:54 +0100 From: Jon Ribbens <jonat_private> To: miscat_private Subject: [weejockat_private: Security issue with cvs (fwd)] No idea if this is relevent. --- Forwarded message from Matthew Kirkwood <weejockat_private> --- Date: Thu, 13 Aug 1998 13:16:32 +0100 (GMT) From: Matthew Kirkwood <weejockat_private> To: security audit list <security-auditat_private> Subject: Security issue with cvs (fwd) Does this make any sense? ---------- Forwarded message ---------- Date: Thu, 13 Aug 1998 02:37:12 +0200 (CEST) From: Carlo Wood <carloat_private> To: "egcsat_private" <egcsat_private> Subject: Security issue with cvs Hi, as might be well known, there is a security problem with the read-only CVS access. The problem is that when someone manages to change or replace the CVSROOT/passwd file, then he or she can get root. The only way to avoid this is by making the restrictions on CVSROOT (and all directories above it) as tight as on /etc, which is clearly not the case for egcs because I can checkout the CVSROOT directory (which demands the anonymous user to set locks in there). I wrote a patch for cvs-1.9.29 (although 1.9.30 is out now)) which reads a file /etc/cvs.passwd instead of CVSROOT/passwd. The normal procedure for adding changes like this into cvs seems to be that people use it first, as a patch :). I am using it already myself on coder-com.undernet.org, and I advise "egcs" to use it too. I did put it on the web. You can get it at http://www.xs4all.nl/~carlo17/cvs/ for now. Thanks -- Carlo Wood <carloat_private> --- End forwarded message --- -- \/ Jon Ribbens / jonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:32 PDT