[ On Wednesday, August 9, 2000 at 20:05:32 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
>
> In other words I'm an optomist and greg is a pessimist. I view something
> as "secure enough" if you can live with the consequences of an attack. He
> views something as "secure enough" only if an attack is not possible
> at all and doesn't place any value on your ability to recover from it.
No, the difference is that SSH mitigates all the risks to the point
where they're nearly impossible, and at a cost that is *FAR* lower than
any one of the things you've proposed. I.e. there is *NO* excuse for
not using it!
Unfortunately you've also doubled your risk by letting CVS run as root
for long enough that an exploit is possible and therefore presenting the
risk that the mechanism you've attempted to use to protect your sole
valuable may in fact be the tool that's used to subvert itself! One
thing *everyone* on the Internet should have learned long before now is
that the worst possible scenario is to allow a remote root exploit.
Since it's well known that CVS has major and fundamental flaws that make
it unsafe to use from a state of privilege, such a risk is very high
indeed.
Remember too that even cvspserver without your chroot hack is still
unsafe to use to authenticate even real users since that would still
mean it would still have to run as root long enough to do the
authentication and authorisation.
The only safe way to run a CVS server is to arrange to have the CVS
program exec()ed *after* all privileges have been irrevocably
discarded. This is exactly what SSH does.
Cvspserver is only safe to use for anonymous (and thus likely read-only)
access, and only then if you accept the risks inherent in allowing
insecure transport connections, and of course only if you accept (and/or
mitigate) the risk of granting shell access on the server in question.
Since it's even possible to spoof or hijack the resulting insecure
server connections and thus covertly subvert the sources handed out to
them without even having to compromise the server itself, these risks
will almost always add up to far more potential for loss than it will
"cost" to install and use SSH instead. If you don't think so then
that's your business, and your business alone -- do not try to promote
your hack as suitable for anyone else!
> I ran it for six months and none or few of my WinCVS clients got it working.
> Now some documentation has been posted explaining how to do it, but I can
> see that it's a fairly painful installation. Hopefully that will change soon
> and I can really use the ssh solution.
*YOU* should have been capable of writing that documentation in the
first place and ensuring that your users understood it sufficiently.
You can use that documentation *NOW*. You should be capable of using
that documentation to build, or solicit the building of, a well tested
canned configuration for the necessary tools (eg. a self-installing
package) such that you don't even have to educate your users in mundane
issues that you don't think they should have to deal with.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
