[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: anonymous cvs init.
From: |
Larry Jones |
Subject: |
Re: anonymous cvs init. |
Date: |
Tue, 29 Jan 2002 15:52:12 -0500 (EST) |
Tanaka Akira writes:
>
> % cvs -d /tmp/y init
> % echo anonymous > /tmp/y/CVSROOT/readers
> % echo anonymous::akr > /tmp/y/CVSROOT/passwd
> % cvs --allow-root=/tmp/y pserver
> BEGIN AUTH REQUEST
> /tmp/y
> anonymous
> A
> END AUTH REQUEST
> cvs: setgroups: Operation not permitted
> I LOVE YOU
> init /tmp/x
> ok
>
> Is it perfectly safe?
No, it's a bug -- in pserver, you shouldn't be allowed to init a root
other than the one you specified in the AUTH REQUEST (and the standard
CVS client won't ever try). I don't think that's a serious problem
since you won't be able to do anything else with the repository you
create, but you could mount a denial of service attack by using up all
the space on a disk creating bogus repositories. Of course, there are
lots of other ways to mount DOS attacks with CVS that don't require
bugs. I'm working on a fix.
-Larry Jones
Hmph. -- Calvin