Re: denial-of-service attack prohibits all users from creating new

[Larry Jones]

Bruno Haible writes:
> 
> The four error messages from the four reports:
>   Cannot initialize repository under existing CVSROOT: `/home'
>   Cannot initialize repository under existing CVSROOT: 
> `/home/rdieter1/cvs.fedoraproject.org'
>   Cannot initialize repository under existing CVSROOT: 
> `/pokerserver_test/pokersource'
>   Cannot initialize repository under existing CVSROOT: `/usr/src/navit'

None of those look like they're intended to be CVS repositories, so I
would say that the reporters have either created CVSROOT subdirectories
that have nothing to do with CVS (highly unlikely) or else they've run
cvs init on a non-sensical root location.  The latter is pure user error
and they should be advised to delete said CVSROOT directory.  (The CVS
repository should only contain CVS managed files; one should never have
one's working directory set inside a repository unless one is an expert
who is actively trying to repair a damaged repository.)

>   1) Once a user cd's into a subdirectory, the sibling directories of the
>      parent, grandparent etc. directory should not matter any more. That's
>      the normal expectation about functioning of programs.

True, but it's not unheard of.  In this case, there are serious security
concerns with allowing a repository inside another repository (as Mark
has noted), and it doesn't really make any sense anyway.  Since a
repository consists of the entire tree under the root and directories
under the root don't necessarily contain anything that would indicate
that they are part of a repository, CVS looks for a CVSROOT subdirectory
(which a repository always has in its root directory) in the current
directory or any ancestor.

>   2) This error messages was not present in previous versions of 'cvs'.

And a number of CVS users shot themselves in the foot, which is why it
was added.
-- 
Larry Jones

What a waste to be going to school on a morning like this. -- Calvin