Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)

Sun, 06 Aug 2000 19:25:49 -0700 

On Sun, Aug 06, 2000 at 07:37:56PM -0400, Greg A. Woods wrote:
> If someone breaks your hacked chroot patch they will, by your design,
> have superuser privileges, at which point chroot is meaningless because
> anyone capable of doing the first crack will snuff your chroot in mere
> seconds and you'll be so fubared that you might not even be able to
> detect any problem for weeks, months, or even years!  Read Phrack#54,
> for an example of how they can hide from you indefinitely.  In fact it's
> practically script-kiddie fodder by now.....

This has *always* been true of pserver. It must start out running as root, 
and does not run any other way. If you try and run it as a non-root user 
it errors when it attempts to call setgid/setuid--with or without my patch. 

CVS pserver has always been script kiddie fodder, but my patch makes it
much less so:

     WITHOUT CHROOT PATCH            WITH CHROOT PATCH
     -------------------------------------------------------------------

     pserver must be run as root     pserver must be run as root

     pserver might drop root         pserver is guaranteed to drop
     permissions before invoking     root permissions before invoking
     cvs commands                    cvs commands

     cvs commands might be used to   cvs commands can only be used to
     read/write any file in the      read/write files inside the limited
     entire operating system         chroot area
  
     pserver might be used to        execution of programs can be 
     execute any program on the      disabled by chrooting to a 
     system                          non-executable partition

This is a *huge* improvement in security. It only applies to pserver, 
but it transforms pserver from a wide open barn door into something with
reasonably good (but not perfect) security.

Your argument seems to be that anything that is not absolutely
perfect ought to be dropped. I'll accept that argument when people
agree to drop pserver entirely from CVS--until then the chroot
patch is badly needed.

It sounds to me like you're just too stubborn to admit you're wrong.

You can argue correctly that pserver is not perfect security and can 
never be made perfectly secure. However, so long as there are people 
who feel they have to use it, it is sensible to make it as secure as 
it can possibly be.

Your argument against my patch boils down to "I hate pserver, please
don't improve it." Ridiculous.

Justin

Reply via email to