Derek Martin <[EMAIL PROTECTED]> writes: > The CVS support is marked as deprecated, because it may be possible to > convince cvs binaries to execute a variety of other programs through > "triggers"... The only way around this is to use rssh with a chroot > jail, and make sure no binaries you don't want people running are inside > the jail. Yucky. The only reason I haven't ripped support out > altogether is a lot of people are already using it, and objected to it > being removed, despite the concerns. You should probably only use the > CVS support if it's only going to serve as a CVS server (and absolutely > only use it in conjunction with a jail).
Right. As mentioned by Tim, svnserve doesn't have this problem, which is one of the many reasons why it's nicer than CVS. :) > I won't support Subversion because I don't know it, have no incentive to > learn it, and suspect it probably has similar pitfalls. Basically, svnserve can only be run in one mode out of something like rssh: svnserve -t. All other options can be rejected, and svnserve should control any further access to the repository and ensure that users can't put in hook scripts. The hook scripts in Subversion aren't part of the repository; they're separate shell scripts outside of it, and can only be modified through the local file system. I do know Subversion fairly well and use it a lot, and am willing to test and answer questions about it. I'm not really comfortable putting something into a Debian package that you don't want in the upstream source, though, and I personally don't want to use Subversion through rssh (I'm just the Debian package maintainer and someone else requested it -- personally, I only use it for rsync), so if you really don't want to take such patches, I'll probably mark the bug wontfix and let the submitter know why. >> There's a patch included in that bug against 2.2.3, but I expect it >> would require some updating for the current version. If you're >> interested in this, I could probably find some time to update the >> patch. > 2.2.3 has a local root exploit. I seriously hope you're not using it... No, no, that was just the version that was current when the Debian bug submitter prepared their own patch. Debian stable shipped with 2.3.2. (Debian sarge, now oldstable, has 2.2.3 patched for the security vulnerability, but that predates my involvement in maintaining the package.) > I have several objections to this. These seem like fairly persuasive objections to me. I'll let the submitter know and mark this wontfix. > That said, the code is completely free, and the Debian folks are free to > add whatever patches they want, as they are wont to do... Well, I'm not. :) I want to maintain an rssh package, not an rssh fork. I'm happy to pass on requests from Debian users, but I don't want to add major features in the Debian version that you're not comfortable with. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ rssh-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rssh-discuss
