Bug#740221: cvs: configure --disable-rootcommit considered harmful

Wed, 26 Feb 2014 22:51:28 -0800 

Package: cvs
Version: 2:1.12.13+real-9
Severity: normal

debian/rules configures the package with "--disable-rootcommit" (which
is also the upstream default), to prevent root from committing to local
repositories.

That makes impossible for root to track his own files in a private local
repository, located under /root, thus forcing sysadms to fall back to RCS,
or switch to heavier and less flexible VC systems.

Now, the obstacle can be circumvented, e.g. by working around getlogin()
and overriding its NULL return value via the environment variable LOGNAME,
effectively impersonating any user:

    env LOGNAME=someuser cvs -d :fork:/root/my.repo commit -m "blablabla" <&-

As a last resort, a malicious superuser (?!?) can always commit as a
non-privileged user, and then manipulate the text files under CVSROOT.

Summarizing: as a security measure, disabling root commit is next to
irrelevant, but inconvenient for honest sysadms.  Therefore I suggest to
toggle the flag in debian/rules, replacing it with --enable-rootcommit.

A better solution would be to add a flag (perhaps -S) to the commit
subcommand, and refuse to proceed (to remind the superuser that he is
trying to commit with root privileges) unless the flag is specified on
the command line; but I don't expect upstream to easily agree.

Best regards
        g

-- System Information:
Debian Release: 7.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages cvs depends on:
ii  adduser           3.113+nmu3
ii  dpkg              1.16.12
ii  install-info      4.13a.dfsg.1-10
ii  libbsd0           0.4.2-1
ii  libc6             2.13-38+deb7u1
ii  libgssapi-krb5-2  1.10.1+dfsg-5+deb7u1
ii  libkrb5-3         1.10.1+dfsg-5+deb7u1
ii  zlib1g            1:1.2.7.dfsg-13

Versions of packages cvs recommends:
ii  openssh-client  1:6.0p1-4

Versions of packages cvs suggests:
pn  mksh  <none>
ii  rcs   5.8.1-1

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to