[ On Thursday, January 24, 2002 at 20:40:53 (-0500), Michal Wallace wrote: ] > Subject: Re: ANN: cvssh - secure ext-to-pserver bridge > > You obviously have very strong feelings about this... Can > you help me understand specifically what risks are involved?
This has been discussed endlessly in this forum in the past.... :-) > These are the precautions I'm taking: > > - The CVSROOT directory is read-only, so customers can't add > their own users without going through me, nor can they > set up wrappers. Ah, but is it protected from potential trojans -- i.e. from authorised users being tricked into making such modifications on behalf of unathorised users? > - CVS runs as the user(s) specified in the CVSROOT/passwd > file. Each repository gets its own user, that does not > have access to any other repository. This is a big mistake. You've turned CVS into an authorisation tool giving outside users access to your Unix filesystem (or at least some part of it) and to Unix user-ids. CVS was not designed or implemented as an authroisation tool. It is not secure -- there are many potential bugs, and some of them are not bugs in the normal proper use of CVS. > - The cient-server traffic is protected with SSL. That's mostly irrelevant, though obviously something of the sort is necessary for any communications over an insecure network. > - I am in the process of setting up a chrooted jail > (or jails) on the server, to keep CVS from accessing > any other directories. Chroot() is vastly over-rated, and rather complex to get right. Complexity is an enemy of security. Jail() similarly so. CVS was not designed to play well with either and there are many assumptions built into the design of CVS which will break the most fundamental premises necessary to do chroot() well. I would suggest you and your users just learn to use SSH and forget about trying to implement any security software yourself. If you already have real unix user-ids for every real user then you're most of the way to making it work properly -- why not go all the way? If you insist on going your own way then I insist you first read Bruce Shneier's "Secrets & Lies: Digital Security in a Networked World" from cover to cover, and then also read John Viega & Gary McGraw's "Building Secure Software: How to Avoid Security Problems the Right Way" cover to cover (maybe even twice) before you even think about how to design your program, let alone write a single line of its code. (i.e. first throw away what you have and be prepared to start over from scratch after you've learned from these most learned of security sages) CVS is a simple filesystem level tool. You should no more put security responsibilities in it than you would in 'vi' or 'emacs'. CVSpserver must die. -- Greg A. Woods +1 416 218-0098; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Planix, Inc. <[EMAIL PROTECTED]>; VE3TCP; Secrets of the Weird <[EMAIL PROTECTED]> _______________________________________________ Info-cvs mailing list [EMAIL PROTECTED] http://mail.gnu.org/mailman/listinfo/info-cvs