[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVS, SSH, (Light) Security
|
From: |
Greg A. Woods |
|
Subject: |
Re: CVS, SSH, (Light) Security |
|
Date: |
Thu, 7 Mar 2002 14:28:08 -0500 (EST) |
[ On Thursday, March 7, 2002 at 17:52:01 (GMT), Richard Caley wrote: ]
> Subject: Re: CVS, SSH, (Light) Security
>
> But if I start some policy of controling individual file permissions
> it means some poor sod has to make sure every file checked in has the
> right permissions, or a regular process does. Yeuch.
The point is that you cannot easily implement any policy that control
access to individual files. CVS only works normally with per-directory
access controls. You can muck about with scripts called by commitinfo,
but that's not really guaranteed to be secure -- it would just be
"advisory" security.
> And if they can write the directory to make a lock file/directory they
> can presumably check in new files and who knows what else might sneak
> through.
Yes, that's exactly right, which is why you need to move the lock
directories somewhere else.
> If CVS created it's lock files outside the repositary itself, then
> simple access controls on the whole repository would work and that
> would be much cleaner. Then I could put each module directory in the
> repository into it's own group and control access that way.
Indeed. That's why CVS has this feature that everyone's been trying to
tell you about. Here's the blurb from the manual (in the "config" node):
LockDir=DIRECTORY'
Put CVS lock files in DIRECTORY rather than directly in the
repository. This is useful if you want to let users read from the
repository while giving them write access only to DIRECTORY, not
to the repository. It can also be used to put the locks on a very
fast in-memory file system to speed up locking and unlocking the
repository. You need to create DIRECTORY, but CVS will create
subdirectories of DIRECTORY as it needs them. For information on
CVS locks, see *Note Concurrency::.
Before enabling the LockDir option, make sure that you have
tracked down and removed any copies of CVS 1.9 or older. Such
versions neither support LockDir, nor will give an error
indicating that they don't support it. The result, if this is
allowed to happen, is that some CVS users will put the locks one
place, and others will put them another place, and therefore the
repository could become corrupted. CVS 1.10 does not support
LockDir but it will print a warning if run on a repository with
LockDir enabled.
The lock heriarchy could even be world writable, and certainly it needs
to be writable by the unprivileged user-ID used to grant anonymous
read-only access. You'll have to keep your eyes on it anyway lest a
vulnerability in CVS somehow allow anonymous users to write arbitrary
data to it.
--
Greg A. Woods
+1 416 218-0098; <address@hidden>; <address@hidden>; <address@hidden>
Planix, Inc. <address@hidden>; VE3TCP; Secrets of the Weird <address@hidden>
- CVS, SSH, (Light) Security, Richard Caley, 2002/03/07
- Re: CVS, SSH, (Light) Security, Noel Yap, 2002/03/07
- Re: CVS, SSH, (Light) Security, Larry Jones, 2002/03/07