In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Larry Jones) writes: > It's a known problem. Like it says in the Cederqvist manual (under > "Security considerations with password authentication"): > > ... once a user has non-read-only access to the repository, she > can execute programs on the server system through a variety of > means. I believe that most of the problems can be prevented by carefully designed chroot jail without cvs modification. I think that the problem is serious because chroot cannot prevent it. > Fixing this will require some serious redesign -- the simplest fix would > be to just get rid of checkin and update programs, but I'm not sure how > people would feel about that. I hope that and my patch do that. If someone want the function, it should be configurable and disabled by default. -- Tanaka Akira
- [[email protected]: cvs security problem] Ian Lance Taylor
- Re: [[email protected]: cvs security problem] Karl Fogel
- Re: [[email protected]: cvs security problem] Larry Jones
- Re: [[email protected]: cvs security problem] Mike Castle
- Re: [[email protected]: cvs security problem] Tanaka Akira
- Re: [[email protected]: cvs security problem] Ian Lance Taylor
- Re: [[email protected]: cvs security problem] Karl Fogel
- Re: [[email protected]: cvs security problem] Michael Richardson
- Re: [[email protected]: cvs security problem] Pavel Roskin
- Re: [[email protected]: cvs security problem] Larry Jones
- Re: [[email protected]: cvs security problem] Pavel Roskin
- Re: [[email protected]: cvs security problem] Tanaka Akira
- Re: [[email protected]: cvs security problem] Ian Lance Taylor
- Re: [[email protected]: cvs security problem] Larry Jones
- Re: [[email protected]: cvs security problem] Ian Lance Taylor
