[ On Monday, August 7, 2000 at 00:09:47 (+0400), Alexey Mahotkin wrote: ]
> Subject: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
>
> GAW> See the recent thread on BUGTRAQ where someone "exposed" the
> GAW> insecurities of cvspserver.
>
> I've always thought that this is not limited to pserver itself. cvs
> over rsh/ssh should also suffer from this problem, because
> "Checkin-prog"/"Update-prog" are not parts of ":pserver:" protocol.
> They are parts of the "CVS client/server protocol", as described in
> cvsclient.info.
>
> ":pserver:" protocol covers only parts between "BEGIN AUTH REQUEST"
> and "END AUTH REQUEST", that consists mostly of sending login name and
> password.
>
> So the "design flaw" is just in so much trusting strings passed by
> remote clients and not in the :pserver: architecture, which is
> adequate enough.
No, the flaw in cvspserver is that it effectively merges the identities
of all unique users into one system level identity. Unfortunately since
CVS relies by design on system level identities for accountability
purposes, as well as for finer grained ACLs, these features are all lost
with cvspserver.
The "design flaw" in part comes from the fact that it's very difficult
given the current protocol design to separate out the authentication and
authorisation parts cleanly; and of course further arises from the issue
that doing authentication on a modern secure multi-user system requires
special privileges that should *never* ever be permitted of an
application like CVS.
The CVS client/server protocol was actually designed to assume that the
connection it was using had already been properly authenticated and
authorised, and not un-coincidentally that's exactly what RSH or SSH or
something similar provide.
> So when that will be fixed (and the simplest patch is included into
> the advisory), cvs-nserver will too be fixed. For now I will not
> release patched version of cvs-nserver until something more official
> about it comes out (cvs-1.10.9, for example).
The only "fix" for cvs-nserver is to completely remove the ability to
support a non-system user. In essence this basically does away with the
need for cvs-nserver in the first place so far as I can see (because it
means all you're really doing is re-inventing SSH or SSL or SRP, etc.).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
