[ On Friday, August 4, 2000 at 15:10:14 (-0400), Justin Wells wrote: ]
> Subject: Re: patch to make CVS chroot
>
> The principle is security: I absolutely do not under any circumstances in
> any possible universe under any condition want someone accessing the root
> user id through CVS pserver.
The only 100% guaranteed way to be sure of this is to *NEVER* run CVS as
root, not ever, not for one CPU cycle, period!
You could, if you really insist on using the inherently broken concept
of cvspserver, run CVS setuid to some non-root user (eg. "cvsauth") that
is privileged enough that it can just barely read the CVSROOT/passwd
file; and of course have it give up its meager privileges once it's
authenticated and authorised the connecting user and return to being
just the user it was called as from inetd (eg. "cvsuser"). This isn't
*real* security, of course, but it's the only guaranteed way to prevent
anyone from ever running anything unauthorised as the superuser when
using cvspserver.
Yes this does imply that if you want to benefit from the relativley weak
advantages of chroot you have to run a setuid-root wrapper that can call
chroot() directly from inetd (such a wrapper isn't exactly easy to write
correctly, and the one mentioned on the list may in fact be already
suitable, but it's on heck of a lot easier to do than it is to modify
CVS to make it secure!).
It also implies that you must have a setuid CVS binary (and in the
chroot'ed area if you do that), though it won't be setuid root and it
will never be run as root so there's little direct risk to the rest of
your system from it (even if you don't chroot it).
Putting chroot() directly in CVS is *WRONG* *WRONG* *WRONG* *WRONG*
because it absolutely requires that you run CVS as root for some period
of time and thus virtually guarantees that someone might be able to
execute unauthorised bits of code as root! If you do this you are
almost certain to gain infamy on BUGTRAQ.
In fact the/any person who thought it was safe to run cvspserver as root
in the first place should probably never be allowed to touch security-
sensitive code ever again! There's absolutely no need for using root in
an application like CVS -- that was just a *VERY* bad design decision.
In the end the only real solution is to ditch cvspserver completely and
revert to using the designed for external transport mechanisms that use
real system authentication and authorisation, such as SSH or whatever.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
