On Wed, Aug 09, 2000 at 04:33:08PM -0400, Noel L Yap wrote:
> When using SSH, the server can specify exactly what the client
> can do. Why not just limit them to using "cvs server"?
Because you can't. CVS is so riddled full of security holes that giving
someone access to run "cvs server" means giving them a shell, if they want
to try and get one.
My solution is to lock the CVS server in a chrooted area where there isn't
very much they can do after they get that shell. At that point they can
start messing with the repository via non-CVS methods--but I'll still
notice the diffs.
> >I'm Canadian. I'm just trying to point out that I have almost no recourse to
> >go after someone who abuses my system if they happen to live in Russia
> >or China or some other country with weak ties to Canada. Even if they
> >do live in Canada and I can sue/charge them with something the odds are
> >I'm not going to waste my time doing that--I'd rather have defended against
> >the risk than have to sue them.
>
> And how is pserver gonna help in this respect?
Because, with the patch that I previously posted, that spawned this whole
thread, my pserver runs in a chrooted partition. I'm defended against the
risk: even if they break through CVS (which shouldn't be hard) that
doesn't get them through to the full OS.
Under Greg's proposal, based on ssh, they are much better authenticated,
but if they choose to attack they gain a shell on the root partition and
shortly after that they're the root userid via some exploit or other.
> I don't think anyone is arguing against using chroot. People are arguing
> against putting the chroot call within CVS.
Greg was arguing against chroot. He claims it offers *no* improvement in
security at all.
He seems to confuse security with authentication. Authentication is only
one part of security.
Justin
