On Mon, 27 Apr 1998, Ian Jackson wrote: > CVS pserver has at least the following apparently-very-serious > problems: > > 1. Passwords transmitted and stored in (near-)plaintext. > 2. No protection from session hijacking etc.
Same for FTP and telnet and we allow them both, if we are going to have a policy that we are paranoid about clear text passwords then it will have to be applied to all cases.. However, it is good to have the choice to be able to use encryption. [see below] > 3. Commands on the server all run as a particular user, specified in a > file which is writeable by many other users on the system ! No, I have patched CVS on va to work around this. CVS runs as the owner of the repository and ONLY that person, the entries in the passwd file are ignored. It switches to the owner of the root CVS directory it is using and that cannot be changed without root privlages. This means each group is isolated and controls it's own password list for it's own repository. They are responsible for adding people they trust to the password list. The CVS daemon can only do damage to that groups files. It is actually setup as a collection of 4 distinct repositories, one for each group. > I therefore propose the following remedy: > > * CVS pserver should be disabled on va immediately other than perhaps > for read-only checkout (though I wouldn't trust it for this either). > Users should be told to use ssh instead (see the CVS manual). Well, then you propose we give all the GNome, GTK, Gimp, APT, dpkg, Berlin and whatever developers a full, complete, shell account on our system? (There are 89 people with write access to the GNome repository alone) There may be another option (involving a hacked ssh) but there hasn't been much interest in persuing it. The gnome people do not seem to care (and they do realize) and it does nothing to threaten VA itself or the other projects. > * Management of checkin access control to parts of the repository > should be done with ordinary groups on va. Therefore, we should have > a group for each CVS tree with different access control. There has to > be a way for the admin team to tell who is supposed to be able to add > people to these groups. This is a given if you are using ssh. > * We should anon-FTP-export the repository (or a copy) to allow people > easy browsing without having to have an account or use pserver. I'm not sure the worth of allowing ftp to the RCS files, they are not that usefull to many people on their own. As far as CVS's anon pserver's security goes, if there are problems with that then their isn't really much point in running CVS at all. The repository is already viewable via CVS web from http://www.debian.org/cgi-bin/cvs-web It seems your only real complaint is that passwords are plain-text? There is no reason why debian developers can't use ssh directly, but I have not been setting all the repositories up as groups because it makes debian-admin's job a bit harder to keep track of the extra groups and people. However, Gnome is setup as a group, there is no reason not to. I will set dpkg up like this and put klee, iwj and mdorman in the group, if you want other people to use it then email [EMAIL PROTECTED] Also, if you are using ssh then there is no need to have an entry in the CVSROOT/passwd file. [This should be done by the end of the week] Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
