[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVSROOT write permission vulnerability

From: Larry Jones
Subject: Re: CVSROOT write permission vulnerability
Date: Mon, 20 Jan 2003 10:53:38 -0500 (EST)

Bibhas Kumar Samanta writes:
> I have a simple query.
> We have Solaris/unix network with NIS .
> and we use /net/<machine_name>/system/CvsRoot as our CVSROOT 
> which is accessible from all machines.

That means you're using NFS to access your repository.  There have been
lots of reports of repository corruption due to NFS interoperability
bugs.  If all of your machines are running Solaris you probably won't
have a problem, but if they're not, you're asking for trouble.  Using
client/server mode with the server running on the machine that has the
repository on a locally mounted disk is the preferred alternative.

> As CVSROOT requires write permission, it has 777 permission for
> all.
> But this essentially empower each user  to delete the whole
> CVSROOT , may be even mistakenly ie 
> cd /net/<machine_name>/system/CvsRoot;\rm -rf *
> How can I avoid that . or do I have any mechanism to log
> who is accessing the CVSROOT area.

Setting the sticky bit (chmod -t) on a directory prevents normal users
from deleting or renaming files in that directory unless they own them.

-Larry Jones

I don't need to improve!  Everyone ELSE does! -- Calvin

reply via email to

[Prev in Thread] Current Thread [Next in Thread]