[ On Thursday, August 10, 2000 at 02:57:51 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory
>
> Having a chrooted pserver actually eliminates far more risk than a
> non-chrooted ssh solution would. The ssh solution would substantially
> improve authentication issues but would do nothing to reduce the 90%
> of my risk that concerns me most.
You haven't shown that at all, and indeed you haven't calculated your
risks based on the likely threats.
Indeed if your server contains only your repository, and especially if
you've stripped it of unecessary tools, the only real risk is directly
with your repository itself -- i.e. right where you propose to lock
people in.
Unfortunately with cvspserver you've no accountability because now any
authorised "user" will be able to use any of the many available hacks to
compromise the identity of any other "user" and then even blatantly
spoof changes as that other user.
Also since this is an "open source" project the bigger and more complex
it becomes, and the more developers you get working on it, the easier it
will be for someone to covertly insert changes (and with no proof of
accountability you won't know who did them if/when you do discover
them), and such changes over time could easily add up to something that
compromises the ultimate product (which in this case would apparently be
a total loss and thus the most drastic cost to pay). People are
error-prone and even several sets of eagle eyes on every change does not
guarantee you'll be able to prevent a determined saboteur.
Furthermore since you're proposing not just an anonymous read-only
server, but instead a full-fledged repository with commit access, you've
complicated your chroot configuration by at least an order of magnitude,
and maybe more if your users demand fancy CVSROOT/*info hooks.
So, tell me again how you think a chrooted cvspserver eliminates more
risk than an unchrooted SSH solution.... It just isn't so. Not only
that but with the SSH solution you still have the opportunity to use
chroot, and without even the risk of ever running CVS as root!
Yes you still do have to find some basis in the real world for the trust
you grant to your developers, and with SSH you have to ensure they
understand that your security policy requires that they keep their
client machines secure too. I have found that in the real world,
especially with volunteer efforts (including those outside of the
computing field), you can greatly increase the respect prospective
volunteers have in you (and thus reduce the risk that they'll do
anything nasty to you), if you show them how concerned you are about
security and thus how valuable you consider their efforts to be. By
managing their expectations, and by providing pointers to all the
information they'll need in order to conform to your security policy,
you'll create a stronger and more security aware community than you
could by any other means (i.e. outside of perhaps offering monetary or
other "convertible" compensation!).
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
