Re: anonymous cvs init.

info-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: anonymous cvs init.

From:	Larry Jones
Subject:	Re: anonymous cvs init.
Date:	Tue, 29 Jan 2002 15:52:12 -0500 (EST)

Tanaka Akira writes:
>
> % cvs -d /tmp/y init
> % echo anonymous > /tmp/y/CVSROOT/readers          
> % echo anonymous::akr > /tmp/y/CVSROOT/passwd 
> % cvs --allow-root=/tmp/y pserver
> BEGIN AUTH REQUEST
> /tmp/y
> anonymous
> A
> END AUTH REQUEST
> cvs: setgroups: Operation not permitted
> I LOVE YOU
> init /tmp/x
> ok
> 
> Is it perfectly safe?

No, it's a bug -- in pserver, you shouldn't be allowed to init a root
other than the one you specified in the AUTH REQUEST (and the standard
CVS client won't ever try).  I don't think that's a serious problem
since you won't be able to do anything else with the repository you
create, but you could mount a denial of service attack by using up all
the space on a disk creating bogus repositories.  Of course, there are
lots of other ways to mount DOS attacks with CVS that don't require
bugs.  I'm working on a fix.

-Larry Jones

Hmph. -- Calvin

[Prev in Thread]

Current Thread

[Next in Thread]

anonymous cvs init., Tanaka Akira, 2002/01/28
- Re: anonymous cvs init., Larry Jones, 2002/01/29
  - Re: anonymous cvs init., Tanaka Akira, 2002/01/29
    - Re: anonymous cvs init., Larry Jones <=
    - Re: anonymous cvs init., Larry Jones, 2002/01/29
    - Re: anonymous cvs init., Tanaka Akira, 2002/01/29

Prev by Date: Re: multiple respositories using pserver
Next by Date: Re: Major revision number compatibility?
Previous by thread: Re: anonymous cvs init.
Next by thread: Re: anonymous cvs init.
Index(es):
- Date
- Thread