[ On Sunday, August 6, 2000 at 22:35:33 (-0400), Justin Wells wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
>
> It's also not coincidental that pserver performs the authentication
> separately and then hands control down to the lower level just as ssh
> would have done.
>
> No, pserver isn't sensibly implemented like ssh is. But it does the
> same thing. You don't do yourself any service by pretending that pserver
> has a different design flaw than the one it really does have.
You should read up on the set-user-id feature. There's an entire world
of difference between how SSH authorises a user and how CVS would have
to do it under your scheme.
There *MUST* be an intervening exec() in order to protect the privileged
process from being exploited.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
- Re: cvs-nserver and latest CV... Justin Wells
- Re: cvs-nserver and latest CV... Tobias Weingartner
- Re: cvs-nserver and latest CV... Justin Wells
- Re: cvs-nserver and latest CV... Greg A. Woods
- Re: cvs-nserver and latest CV... Justin Wells
- Re: cvs-nserver and latest CV... Greg A. Woods
- Re: cvs-nserver and latest CV... Tobias Weingartner
- Re: cvs-nserver and latest CV... Greg A. Woods
- Re: cvs-nserver and latest CV... Justin Wells
- Re: cvs-nserver and latest CV... Alexey Mahotkin
- Re: cvs-nserver and latest CV... Greg A. Woods
- Re: cvs-nserver and latest CV... Justin Wells
- Re: cvs-nserver and latest CV... Greg A. Woods
- Re: cvs-nserver and latest CV... Justin Wells
- Re: patch to make CVS chroot Alexey Mahotkin
- Re: patch to make CVS chroot Greg A. Woods
- Re: patch to make CVS chroot Rich Salz
- Re: patch to make CVS chroot Justin Wells
- Re: patch to make CVS chroot Justin Wells
