Tanaka Akira writes: > > % cvs -d /tmp/y init > % echo anonymous > /tmp/y/CVSROOT/readers > % echo anonymous::akr > /tmp/y/CVSROOT/passwd > % cvs --allow-root=/tmp/y pserver > BEGIN AUTH REQUEST > /tmp/y > anonymous > A > END AUTH REQUEST > cvs: setgroups: Operation not permitted > I LOVE YOU > init /tmp/x > ok > > Is it perfectly safe?
No, it's a bug -- in pserver, you shouldn't be allowed to init a root other than the one you specified in the AUTH REQUEST (and the standard CVS client won't ever try). I don't think that's a serious problem since you won't be able to do anything else with the repository you create, but you could mount a denial of service attack by using up all the space on a disk creating bogus repositories. Of course, there are lots of other ways to mount DOS attacks with CVS that don't require bugs. I'm working on a fix. -Larry Jones Hmph. -- Calvin _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
