There appears to be a loophole in the cvs_acls script that allows someone to bypass an 'unavail' on a specific file and commit changes to that file.
It seems that all one needs to do is update another file in that same directory. Then a commit of that unrestricted file will include the restricted file, which commits successfully. The avail file would look something like this: unavail||CVSROOT/avail avail|cvsadmin|CVSROOT/avail So that only 'cvsadmin' should be able to update the 'avail' file. But if a non-cvsadmin user updates **any other file** in the CVSROOT directory (e.g., loginfo) and commits that file, the commit includes the 'avail' file and successfully commits it. Here is some sample output when done under :ext: (ssh): [EMAIL PROTECTED] ssh]$ vi CVSROOT/avail [EMAIL PROTECTED] ssh]$ cvs ci -m"" CVSROOT/avail cvs commit: Examining CVSROOT [EMAIL PROTECTED]'s password: **** Access denied: Insufficient permission for this dir/file (wimp|CVSROOT|) cvs commit: Pre-commit check failed cvs [commit aborted]: correct above errors first! [EMAIL PROTECTED] ssh]$ vi CVSROOT/loginfo [EMAIL PROTECTED] ssh]$ cvs ci -m"" CVSROOT/loginfo cvs commit: Examining CVSROOT [EMAIL PROTECTED]'s password: Checking in CVSROOT/avail; /usr/cvsroot/CVSROOT/avail,v <-- avail new revision: 1.7; previous revision: 1.6 done Checking in CVSROOT/loginfo; /usr/cvsroot/CVSROOT/loginfo,v <-- loginfo new revision: 1.139; previous revision: 1.138 done cvs commit: Rebuilding administrative file database This exposure occurs under both pserver and ext access modes. Client and server were using CVS 1.11.10 under Redhat Linux 9.0. Any help would be appreciated... pc _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs
