>[ On Friday, June 11, 1999 at 22:04:01 (-0700), [EMAIL PROTECTED] wrote: ]
>> Subject: Re: CVS and SSH?
>>
>> On Fri, 11 Jun 1999 14:24:44 -0700
>> Bradford Hull <[EMAIL PROTECTED]> wrote:
>> It is not secure to the extent that CVS'es pserver is not secure.
>
>I think you're confusing the issues here. CVS' pserver access method
>has nothing to do with using SSH to access a CVS repository. With SSH
>(or RSH for that matter) CVS runs as the authenticated and authorised
>user and in that sense is totally secure (it can offer no means of
>changing or enhancing the user's privileges).
One of the files in $CVSROOT/CVS has a command which has to be run
before/after checkouts/checkins (sorry, I don't remember the details). If
this file is not secured properly, it may be set to a trojan so as to give a
less priveleged user access to a different account. Unless root uses CVS,
it's not a root exploit, but I'd rather not allow non-priveleged users the
possibility of getting into my account.
>> It is effectively tantamount to granting those users shell access to
>> the server with a reasonable probability that they may be able to
>> exploit that shell access into root access (given that pserver runs
>> as root and was not designed or built with security in mind).
I've set up pserver access so as to use a non-root user. You don't _have_ to
put root in inetd.conf. Of course, inetd has to be editted by root...
--
John Riddoch Email: [EMAIL PROTECTED] Telephone: (01224)262721
Room C6, School of Computer and Mathematical Science
Robert Gordon University, Aberdeen, AB25 1HG
I am Homer of Borg. Resistance is Fu... Ooooh! Donuts!
