On Fri, Aug 04, 2000 at 02:35:36PM -0400, Rich Salz wrote:
> I know you can say the same thing about my getpid/putenv patch. I'd
> consider that slightly different since that also works for non-pserver.
> But I do think it's an issue for us to consider: when to patch main()
> and when to write wrappers?
I have a wrapper which does a chroot followed by a setuid/setgid and then
runs CVS. Then I had to patch CVS so that it wouldn't try the setuid/segid
on itself. Otherwise there is no guarantee CVS will drop root permissions
and as root it's trivially easy to break out of a chroot.
After running CVS with that wrapper and patch for about a year, I
decided that this way is cleaner. Now I can take advantage of the underlying
userids and groups in the OS to control access to parts of my repository,
since setuid/setgid works normally again.
An alternative would be to patch main and ensure that in the authenticated
case it always drops root permissions, and put the chroot in a wrapper. But
I figured if I was going to patch main at all, I might as well add in the
other couple of lines that do the chdir/chroot.
Justin
