--- Derek Robert Price <[EMAIL PROTECTED]> wrote: > It might have major impact if any of the repository > files are executable > and also owned by the root group. Say, if someone > copied the repository > in as the root user, then changed the owner to their > cvs user and left > the file groups alone. > > Executing arbitrary code on the CVS server is > trivial, but normally > isn't considered a major risk since it would be > executed as the cvs > user. But if code running as the cvs user could > _then_ edit a setgid > root file and execute it, it could be trouble.
This is a good point. I think most OS's today turn off the SUID and SGID bits once the file is modified but it's much better to check this situation on your particular OS. Thanks, Noel __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
