[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVS

On Mon, 27 Apr 1998, Ian Jackson wrote:

> CVS pserver has at least the following apparently-very-serious
> problems:
> 
> 1. Passwords transmitted and stored in (near-)plaintext.
> 2. No protection from session hijacking etc.

Same for FTP and telnet and we allow them both, if we are going to have a
policy that we are paranoid about clear text passwords then it will have
to be applied to all cases..

However, it is good to have the choice to be able to use encryption. [see
below]

> 3. Commands on the server all run as a particular user, specified in a
>    file which is writeable by many other users on the system !

No, I have patched CVS on va to work around this. CVS runs as the owner of
the repository and ONLY that person, the entries in the passwd file are
ignored. It switches to the owner of the root CVS directory it is using
and that cannot be changed without root privlages.

This means each group is isolated and controls it's own password list for
it's own repository. They are responsible for adding people they trust to
the password list. The CVS daemon can only do damage to that groups files.

It is actually setup as a collection of 4 distinct repositories, one for
each group. 

> I therefore propose the following remedy:
> 
> * CVS pserver should be disabled on va immediately other than perhaps
> for read-only checkout (though I wouldn't trust it for this either).
> Users should be told to use ssh instead (see the CVS manual).

Well, then you propose we give all the GNome, GTK, Gimp, APT, dpkg, Berlin
and whatever developers a full, complete, shell account on our system?
(There are 89 people with write access to the GNome repository alone)

There may be another option (involving a hacked ssh) but there hasn't been
much interest in persuing it.

The gnome people do not seem to care (and they do realize) and it does
nothing to threaten VA itself or the other projects.

> * Management of checkin access control to parts of the repository
> should be done with ordinary groups on va.  Therefore, we should have
> a group for each CVS tree with different access control.  There has to
> be a way for the admin team to tell who is supposed to be able to add
> people to these groups.

This is a given if you are using ssh.

> * We should anon-FTP-export the repository (or a copy) to allow people
> easy browsing without having to have an account or use pserver.

I'm not sure the worth of allowing ftp to the RCS files, they are not
that usefull to many people on their own. As far as CVS's anon pserver's
security goes, if there are problems with that then their isn't really
much point in running CVS at all.

The repository is already viewable via CVS web from
http://www.debian.org/cgi-bin/cvs-web

It seems your only real complaint is that passwords are plain-text?

There is no reason why debian developers can't use ssh directly, but I
have not been setting all the repositories up as groups because it makes
debian-admin's job a bit harder to keep track of the extra groups and
people. However, Gnome is setup as a group, there is no reason not to.

I will set dpkg up like this and put klee, iwj and mdorman in the group,
if you want other people to use it then email debian-admin@debian.org. 
Also, if you are using ssh then there is no need to have an entry in the
CVSROOT/passwd file.

[This should be done by the end of the week]

Jason



--
To UNSUBSCRIBE, email to debian-dpkg-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: