[ On Saturday, August 5, 2000 at 01:20:35 (-0400), Justin Wells wrote: ]
> Subject: Re: patch to make CVS chroot
>
> I can't do that because I need to control access to portions of the
> repository using groups. I wish CVS had this capacity internally but
> it doesn't--I have to rely on Unix groups and that means I have to
> run CVS as root.
Excuse me? If you just run CVS as normal *REAL* users then you can have
all the benefits of unix groups!
Please do not try to resolve inconsistencies in your own requirements by
making everything less secure!
> Chroot, when used properly, and on a good OS, is adequate for locking up
> a *non-root* process. It's true that if there is a flaw in the auth portion
> of the pserver request allowing someone to execute arbitrary code then
> they can escape from the chroot.
True -- iff used properly. You're not using it properly. Put it in an
isolated *tiny* program that does only the chroot and an exec, just like
the *real* chroot binary -- in fact you could probably use the real
chroot program even in some scenarios....
> Unfortunately the way Unix is written there is no other way to gain
> access to setgid. If there were, my problem would be solved. If CVS
> had some other kind of group access control technology in it that
> would also solve my problem, but it doesn't.
You can't have your cake and eat it too. Use real unix user-ids if you
want real security.
> Which is not supported by the majority of my CVS clients (who are
> external users outside my organization and I don't want to spend
> time on the phone with them helping them get WinCVS working with
> ssh, if WinCVS actually ever successfully works with ssh at all).
WinCVS works very well with SSH on NT -- I've no experience with Win9x,
but no reason to believe it won't work since it isn't WinCVS itself that
uses SSH, but rather CVS which runs underneath WinCVS.
> I can't force them to switch to Unix, install loads of specialized
> software, or fix WinCVS so that it's ssh mode actually works. I do
> *have* to provide them with access to my CVS tree or my project will
> die--not an option.
Why don't you at least put some effort into using SSH!?!?!?!?!?!
> CVS needs a general solution to this problem. What I did isn't ideal, in
> any sense, but it is about 1000 times better than doing nothing.
CVS already has a general solution to this problem -- use real unix IDs!
> The CVS community has sat around gasping about this problem for a
> *very* long time now: years and years, and nothing whatever has
> been done about it.
I have no idea what you're talking about. The only thing that's
happened is that people who don't know anything about security have been
trying to mess with things they obviously don't understand. If CVS is
just used *properly* (i.e. the way it was designed to be used) then
there is no problem to solve in the first place! The best thing that
could be done to CVS to remove the temptations into trouble that naive
people seem to have would be to completely remove cvspserver once and
for all.
> I was going to work on a fix before, but I ran
> into heavy flak from everyone on this list who was absolutely sure
> that "ssh" was the right way to go. Well ssh isn't the right way
> to go, and I say that based on the fact that 90% of my clients
> can't figure out how to get it work. A solution that doesn't work
> is no solution at all.
SSH is only one of the options that *does* work. In a secure
environment you can use a less secure transport, such as RSH.
If your clients are so helpless as to be unable to figure out how to get
SSH to work then you could much more easily create a canned, tested,
configuration for them and be done with it than you can fiddle with
stuff you should leave well enough alone.
> What CVS really needs is an external module which handles authentication,
> has support for ssl, performs the chroot/setgid on auth and then invokes
> the ordinary cvs to do the processing, and is short enough that it
> can be effectively audited. CVS doesn't have that, and my guess
> at this point is that it never will: in the meantime, my life goes
> on and I had to do something.
IT ALREADY HAS AS MANY EXTERMAL AUTH MODULES AS YOU CAN DREAM UP!!!!!
SSH, for example is *EXACTLY* what you've asked for, AND IT ALREADY
WORKS!!!!
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
