Re: CVS
(Note crossposting to debian-dpkg and debian-admin)
I went and read the bits in the CVS manual about pserver, and the
relevant configuration on va, and:
Aaaaargh !
CVS pserver has at least the following apparently-very-serious
problems:
1. Passwords transmitted and stored in (near-)plaintext.
2. No protection from session hijacking etc.
3. Commands on the server all run as a particular user, specified in a
file which is writeable by many other users on the system !
This may be appropriate inside a firewall. It is definitely _not_
appropriate in our environment, which includes:
- partially trusted remote users whose accounts might (for example)
send bad data to cvs commands to be run not as them
- many people with ability to write bits of the repository's
filesystem areas (and thus probably to tell cvs pserver to run any
remotely-executable cvs command as any user)
- remote users on the far side of the public Internet
I therefore propose the following remedy:
* CVS pserver should be disabled on va immediately other than perhaps
for read-only checkout (though I wouldn't trust it for this either).
Users should be told to use ssh instead (see the CVS manual).
* Management of checkin access control to parts of the repository
should be done with ordinary groups on va. Therefore, we should have
a group for each CVS tree with different access control. There has to
be a way for the admin team to tell who is supposed to be able to add
people to these groups.
* We should anon-FTP-export the repository (or a copy) to allow people
easy browsing without having to have an account or use pserver.
Ian.
--
To UNSUBSCRIBE, email to debian-dpkg-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to:
- Follow-Ups:
- Re: CVS
- From: Jason Gunthorpe <jgg@gpu.srv.ualberta.ca>