cvs commit: src/contrib/cvs/src server.c

Jacques A. Vidrine nectar at FreeBSD.org
Mon Jan 26 12:06:00 PST 2004 

On Mon, Jan 26, 2004 at 08:50:39AM -0800, Bruce A. Mah wrote:
> If memory serves me right, Scott Long wrote:
>
> [Lots of context snipped.]
>
> > I guess this means that an UPDATING entry is in order, along with some
> > special words in the release notes.  Bruce?
>
> Added this to the release notes...someone feel free to correct me if
> further details are needed or if I got anything wrong (caffeine hasn't
> kicked in yet this morning).

Um, I feel there has been some misunderstanding here that might
explain why some folks were bent out of shape about this change for
5.2.1.

CVS ChangeLog and my commit message:

  * pserver can no longer be configured to run as root via the
    $CVSROOT/CVSROOT/passwd file, so if your passwd file is
    compromised, it no longer leads directly to a root hack.  Attempts
    to root will also be logged via the syslog.

Bruce's relnotes blurb:

+    <para>&new.521; Two security fixes for <application>CVS</application> (one
+      related to pserver operation and the other dealing with
+      malformed module requests) have been backported from later
+      versions.  One side effect of this update is that running
+      pserver as <username>root</username> (a configuration that was
+      already unsupported and insecure) no longer works.</para>
+

A comment from Xin Li:

: I think he may mean the configuration in /etc/inetd.conf, circa line 63,
: where the example shows how to run cvs pserver as root.

I think that `run as root' has been misinterpreted by some.

This change does *NOT* suddenly make an inetd.conf configuration line
like the following stop working:

  cvspserver     stream  tcp     nowait  root    /usr/bin/cvs    cvs --allow-root=/your/cvsroot/here pserver

Rather, the change disables lines like the following in
$CVSROOT/CVSROOT/passwd:

   luser:bxOZZuQd4CoXs:root

Without this fix, one who can modify $CVSROOT/CVSROOT/passwd would be
able to gain root access.

Cheers,
-- 
Jacques Vidrine   NTT/Verio SME      FreeBSD UNIX       Heimdal
nectar at celabo.org jvidrine at verio.net nectar at freebsd.org nectar at kth.se

More information about the cvs-all mailing list