CVS security update [ was Re: Please follow the KISS principle ]

[Jason]

The main changes concerning that seem to be in src/server.c in the
switch_to_user function.  I think you'd still be able to run the cvs
daemon as root.  In fact, I think it would still have to run as a
privileged user in order to switch UID's to the proper user upon login.
However, when the cvs user tries to authenticate it would refuse to 
switch to the root user, and then syslog it.

If someone is logging into their repository as root.. they've got issues
anyway.  But, I don't see a problem with having this patched in. 

my 2cents

-jason

>From the linked news advisory.

>"Previously, any user with the ability to write the CVSROOT/passwd file
>could execute arbitrary code as the root user on systems with CVS
>pserver access enabled. We recommend this upgrade for all CVS servers!"

And from the NEWS file ( which you would think should match the cvs
changelog

>* pserver can no longer be configured to run as root via the
>  $CVSROOT/CVSROOT/passwd file, so if your passwd file is compromised,
>  it no longer leads directly to a root hack.  Attempts to root will also be
>  logged via the syslog.

from src/server.c

switch_to_user (cvs_username, username)
...
    if (pw->pw_uid == 0)
    {
...
        printf("error 0: root not allowed\n");
	error_exit ();
    }

On Tue, Dec 30, 2003 at 08:22:17PM -0500, seth vidal wrote:
> > BTW: There seems to be a security update available for CVS:
> > http://ccvs.cvshome.org/servlets/NewsItemView?newsID=88
> > 
> 
> I was looking at this bug and I noticed this in the cvs changelog:
> 2003-12-18  Derek Price  <derek at ximbiot.com>
> 
> 	* NEWS: Note that pserver can no longer run as root.
> 
> That's a bit interesting. Providing a patched package that suddenly
> makes running pserver as root not  work would be surprising, I think.
> 
> -sv
> 
> 
> 
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-legacy-list