[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVS

(Note crossposting to debian-dpkg and debian-admin)
I went and read the bits in the CVS manual about pserver, and the
relevant configuration on va, and:

Aaaaargh !

CVS pserver has at least the following apparently-very-serious
problems:

1. Passwords transmitted and stored in (near-)plaintext.
2. No protection from session hijacking etc.
3. Commands on the server all run as a particular user, specified in a
   file which is writeable by many other users on the system !

This may be appropriate inside a firewall.  It is definitely _not_
appropriate in our environment, which includes:
  - partially trusted remote users whose accounts might (for example)
    send bad data to cvs commands to be run not as them
  - many people with ability to write bits of the repository's
    filesystem areas (and thus probably to tell cvs pserver to run any
    remotely-executable cvs command as any user)
  - remote users on the far side of the public Internet

I therefore propose the following remedy:

* CVS pserver should be disabled on va immediately other than perhaps
for read-only checkout (though I wouldn't trust it for this either).
Users should be told to use ssh instead (see the CVS manual).

* Management of checkin access control to parts of the repository
should be done with ordinary groups on va.  Therefore, we should have
a group for each CVS tree with different access control.  There has to
be a way for the admin team to tell who is supposed to be able to add
people to these groups.

* We should anon-FTP-export the repository (or a copy) to allow people
easy browsing without having to have an account or use pserver.

Ian.


--
To UNSUBSCRIBE, email to debian-dpkg-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: