Hi Ian, >zealot:d> ll CVSROOT/ >... >-rw-rw-rw- 1 ian ian 0 Mar 26 13:38 history >... >-rw-rw-rw- 1 ian ian 0 Mar 26 13:38 val-tags
Indeed. This is something I wondered about as well, and which, I think, most people actually operating a CVS server change. I just did a quick test, and I found out that repository access needs write permissions (for the reader lock files) anyway (or CVSREADONLYFS/-R, of course), so this is probably totally useless. >AFAICT from the text in cvs.txt.gz, a corrupted val-tags file can >cause CVS to be oblivious to some tags and claim they do not exist. I I see only the requirement for users that can commit to be able to write into them there, and a historic reference. I’ve been running my CVS repository with a truncated val-tags for ages; each 'cvs tag' operation adds to it, but nothing so far has failed when I remove the entries again. This is probably a historic accident or something. >AIUI the history file is used to record even read-only operations. This is true, but it can be disabled. >I'm not sure what the worste consequences could be of a corrupted or >malicious history file. AFAICT it’s append-only. >Instead, it would be better to make the file writeable only by those >with wrote access to the repository, and simply not record the >read-only opertaions. I agree. We could create them both with permissions 0644 and adjust the default configuration accordingly. >I have filed this bug with severity `serious' because it's a prima >facie security bug and because I didn't find anything in the package I don’t quite agree with that, but given it also affects temporary local repositories users could create in their homes when those are traversable by other, it can have not-nice effects. >If these permissions are indeed safe, then please take this as a >request for a documentation improvement and downgrade the bug >accordingly. I think I’ll look into changing the default configuration and permissions instead and documenting this (in the Cederqvist and the Debian NEWS file). I’ll check whether the history file is indeed append-only, too, and what val-tags is used for internally, then I’ll do an upload. We’ll deviate from upstream there, but given chances are that I’ll become the new upstream anyway, this point is irrelevant. Please feel free to provide further input (suggested behavioural changes, documentation, patches, etc.) if you wish. Your contri‐ bution by means of filing bugs is appreciated. Thanks, //mirabilos -- 13:22⎜«neurodamage» mira, what's up man? I have a CVS question for you in #cvs 13:22⎜«neurodamage» since you're so good w. it │ «neurodamage:#cvs» i love you 13:28⎜«neurodamage:#cvs» you're a handy guy to have around for systems stuff ☺ 16:06⎜<Draget:#cvs> Thank god I found you =) 20:03│«bioe007:#cvs» mira2k: ty 17:14⎜<ldiain:#cvs> Thanks big help you are :-) <bioe007> mira|nwt: ty again 18:35⎜«alturiak:#cvs» mirabilos: aw, nice. thanks :o 18:36⎜«ThunderChicken:#cvs» mirabilos FTW! 23:03⎜«mithraic:#cvs» aaah. thanks 18:41⎜«alturiak:#cvs» phew. thanks a bunch, guys. you just made my weekend :-) 18:10⎜«sumit:#cvs» mirabilos: oh ok.. thanks for that 21:57⎜<bhuey:#cvs> yeah, I really appreciate help 18:50⎜«grndlvl:#cvs» thankyou 18:50⎜«grndlvl:#cvs» worked perfectly 20:50⎜<paolo:#cvs> i see. mirabilos, thnks for your support 00:36⎜«halirutan:#cvs» ok, the obvious way:-) thx 18:44⎜«arcfide:#cvs» mirabilos, I am running OpenBSD. 18:59⎜«arcfide:#cvs» Hrm, yes, I see what you mean. 19:01⎜«arcfide:#cvs» Yeah, thanks for the help. 21:33⎜«CardinalFang:#cvs» Ugh. Okay. Sorry for the dumb question. Thank you 21:34⎜<centosian:#cvs> mirabilos: whoa that's sweet 21:52⎜«garrett__:#cvs» much appreciated «garrett__:#cvs» thanks for your time 23:39⎜<symons:#cvs> this worked, thank you very much 16:26⎜<schweizer:#cvs> ok thx, i'll try that 20:00⎜«stableable:#cvs» Thank you. 20:50⎜«s833:#cvs» mirabilos: thanks a lot. 19:34⎜<bobbytek:#cvs> Thanks for confirming :) 20:08⎜<tsolox:#cvs> ...works like a charm.. thanks mirabilos
