Re: ANN: cvssh - secure ext-to-pserver bridge

[Greg A. Woods]

[ On Thursday, January 24, 2002 at 20:40:53 (-0500), Michal Wallace wrote: ]
> Subject: Re: ANN: cvssh - secure ext-to-pserver bridge
>
> You obviously have very strong feelings about this...  Can
> you help me understand specifically what risks are involved?

This has been discussed endlessly in this forum in the past....  :-)

> These are the precautions I'm taking:
> 
>  - The CVSROOT directory is read-only, so customers can't add
>    their own users without going through me, nor can they
>    set up wrappers.

Ah, but is it protected from potential trojans -- i.e. from authorised
users being tricked into making such modifications on behalf of
unathorised users?

>  - CVS runs as the user(s) specified in the CVSROOT/passwd
>    file. Each repository gets its own user, that does not
>    have access to any other repository.

This is a big mistake.  You've turned CVS into an authorisation tool
giving outside users access to your Unix filesystem (or at least some
part of it) and to Unix user-ids.  CVS was not designed or implemented
as an authroisation tool.  It is not secure -- there are many potential
bugs, and some of them are not bugs in the normal proper use of CVS.

>  - The cient-server traffic is protected with SSL.

That's mostly irrelevant, though obviously something of the sort is
necessary for any communications over an insecure network.

>  - I am in the process of setting up a chrooted jail
>    (or jails) on the server, to keep CVS from accessing
>    any other directories.

Chroot() is vastly over-rated, and rather complex to get right.
Complexity is an enemy of security.  Jail() similarly so.  CVS was not
designed to play well with either and there are many assumptions built
into the design of CVS which will break the most fundamental premises
necessary to do chroot() well.

I would suggest you and your users just learn to use SSH and forget
about trying to implement any security software yourself.  If you
already have real unix user-ids for every real user then you're most of
the way to making it work properly -- why not go all the way?

If you insist on going your own way then I insist you first read Bruce
Shneier's "Secrets & Lies: Digital Security in a Networked World" from
cover to cover, and then also read John Viega & Gary McGraw's "Building
Secure Software: How to Avoid Security Problems the Right Way" cover to
cover (maybe even twice) before you even think about how to design your
program, let alone write a single line of its code.  (i.e. first throw
away what you have and be prepared to start over from scratch after
you've learned from these most learned of security sages)

CVS is a simple filesystem level tool.  You should no more put security
responsibilities in it than you would in 'vi' or 'emacs'.  CVSpserver
must die.

-- 
                                                                Greg A. Woods

+1 416 218-0098;  <address@hidden>;  <address@hidden>;  <address@hidden>
Planix, Inc. <address@hidden>; VE3TCP; Secrets of the Weird <address@hidden>