[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
read-only anonymous
|
From: |
Kevin Turner |
|
Subject: |
read-only anonymous |
|
Date: |
22 Feb 2003 18:21:44 -0800 |
Today I wanted to figure out how to set up read-only anonymous access to
CVS. When I think "anonymous CVS", I think "pserver", so looked that up
in the Cederqvist and Karl Fogel's cvsbook. Seems easy enough, but then
I looked at that inetd.conf line again and saw the word "root". Neither
one draws any attention to this at all, but "run as root" is definitely
*not* one of my requirements for "read-only anonymous".
A search on cvshome brought up this patch to the documentation* from
Karl Fogel, which was evidently never applied. And there's no
indication of how relevant that information -- now over five years old
-- is today.
* http://www.cvshome.org/dev/patches/nonroot
Please confirm this is a most sane way to do read-only pserver:
I. For read-only access of any kind:
1. Create a directory /var/lock/cvs, *writable* to all CVS readers,
plus sticky bit (aka "restricted deletion flag", so users cannot delete
each others' locks).
2. Add LockDir=/var/lock/cvs to CVSROOT/config.
3. Ensure modules are readable-not-writable to any read-only users of
CVS.
II. The read-only pserver:
0. Assumption: You're not using pserver for anything else.
1. Create an account 'anoncvs' with shell /bin/false.
2. Make anoncvs's group membership consistent with requirements in I.
3. Add 'anoncvs:' to CVSROOT/passwd. (Add a password here if you wish.)
4. Add anoncvs to CVSROOT/readers to tell CVS this is a read-only
user. (This should be redundant, as if your unix permissions are set
correctly, the server running as anoncvs should be simply unable to
write anything.)
5. In CVSROOT/config, set SystemAuth=no. This instructs pserver to not
attempt to do anything as people who are not in CVSROOT/passwd. (This
should be redundant, as without root pserver will not be able to switch
to other users, but can't hurt.)
6. Configure inetd as instructed in cvsbook or the Cederqvist, with one
important exception: where it says "root", instead use "anoncvs". e.g.:
cvspserver stream tcp nowait anoncvs /usr/local/bin/cvs cvs -f
--allow-root=/usr/cvsroot pserver
A Question:
Is installing pserver with an unprivileged user any more secure than
allowing people to ssh in as this underprivledged user with its shell
set to an "exec /usr/bin/cvs server" script? Why or why not?
A final plea:
Please include a warning in the "Anonymous Access" chapter of cvsbook
and "Read-only repository access" chapter in Cederqvist. They both seem
to suggest that pserver is the correct way to do this, and both run
pserver as root. Recommending running an anonymous service (which is
*supposed* to be read-only) as root is likely a larger security bug than
any single unchecked buffer overflow, and Karl Fogel's patch to address
this matter seems to have been left to rot for five years.
Sincerely,
- Kevin Turner
--
The moon is last quarter, 60.7% illuminated, 21.1 days old.
- read-only anonymous,
Kevin Turner <=