[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: denial-of-service attack prohibits all users from creating new

From: Todd Denniston
Subject: Re: denial-of-service attack prohibits all users from creating new
Date: Tue, 01 Jun 2010 20:04:11 -0400
User-agent: Thunderbird (X11/20100318)

Larry Jones wrote, On 06/01/2010 05:56 PM:
> Bruno Haible writes:
>> The four error messages from the four reports:
>>   Cannot initialize repository under existing CVSROOT: `/home'
>>   Cannot initialize repository under existing CVSROOT: 
>> `/home/rdieter1/cvs.fedoraproject.org'
>>   Cannot initialize repository under existing CVSROOT: 
>> `/pokerserver_test/pokersource'
>>   Cannot initialize repository under existing CVSROOT: `/usr/src/navit'
> None of those look like they're intended to be CVS repositories, so I
> would say that the reporters have either created CVSROOT subdirectories
> that have nothing to do with CVS (highly unlikely) or else they've run
> cvs init on a non-sensical root location.  The latter is pure user error
> and they should be advised to delete said CVSROOT directory.  (The CVS
> repository should only contain CVS managed files; one should never have
> one's working directory set inside a repository unless one is an expert
> who is actively trying to repair a damaged repository.)

(I don't think I am disagreeing with your eval of the cause of the message, but 
perhaps with your
eval of what the users are now thinking, or failing to think when they setup a 
repository a long
time ago... perhaps the cederqvist suggestion below is a way to go?)

Actually we are probably looking at naive users who used too little imagination 
in creating the
directory they feed into the $CVSROOT variable, i.e., they did (at least at one 
export CVSROOT=/a/directory/somewhere/on/mymachine/CVSROOT
mkdir $CVSROOT
cvs -d $CVSROOT  init
..Marley use this CVSROOT until the go to do something else, and then get bit 
much later.

i.e. CVS lets you do the following with out complaint:
cd /tmp/
cvs -v # Concurrent Versions System (CVS) 1.11.22 (client/server)
cvs -d /tmp/CVSROOT/ init
...perhaps at this point CVS should have output something along the lines:
'Um... CVS sees CVSROOT as an important directory name and something it 
controls, you don't want to
use that as the name for your Repository, perhaps you should use mv 
/tmp/CVSROOT/ `openssl rand
-base64 8'` and execute cvs init with that directory name.'

i.e. the users are annoyed because they don't understand why at the later point 
they are getting
this new message.

Also in my copy of the cederqvist, which is admittedly cederqvist-1.11.23 a bit 
old, the section F.1
"Partial list of error messages" is partial enough that it does not contain any 
text along the lines of:
cvs [init aborted]: Cannot initialize repository under existing CVSROOT: 
        Someone created a directory in ProblemDir called CVSROOT, because the 
directory named CVSROOT
should only exist INSIDE of a repository, cvs believes you are asking it to 
init another repository
inside of an existing one, which has bad security implications.  You should 
work with the owner of
that directory to figure out if it should be renamed or if you should not be 
trying to init where
you are currently trying.  Hint, when creating a directory that you will export 
in the CVSROOT
environment variable, call that directory something other than CVSROOT.

>>   2) This error messages was not present in previous versions of 'cvs'.
> And a number of CVS users shot themselves in the foot, which is why it
> was added.

Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

reply via email to

[Prev in Thread] Current Thread [Next in Thread]