[ On Sunday, August 6, 2000 at 00:45:37 (-0400), Justin Wells wrote: ]
> Subject: Re: patch to make CVS chroot
>
> That looks like a really good idea.
Be warned that if used in the scenario where it provides "virtual
repositories" it suffers the exact same design flaws (and is thus at
least equally insecure) as cvspserver.
See the recent thread on BUGTRAQ where someone "exposed" the
insecurities of cvspserver.
> On Sat, Aug 05, 2000 at 01:49:10PM +0400, Alexey Mahotkin wrote:
> > >>>>> "JW" == Justin Wells <[EMAIL PROTECTED]> writes:
> >
> > JW> What CVS really needs is an external module which handles
> > JW> authentication, has support for ssl, performs the chroot/setgid on auth
> > JW> and then invokes the ordinary cvs to do the processing, and is short
> > JW> enough that it can be effectively audited. CVS doesn't have that, and
> > JW> my guess at this point is that it never will: in the meantime, my life
> > JW> goes on and I had to do something.
> >
> > Justin, please take a look at http://alexm.here.ru/cvs-nserver/
> >
> > You could also look through the recent thread about "Proposal: have client
> > CVS send remote username to server CVS".
> >
> > --alexm
> >
>
>
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
