[ On Wednesday, August 9, 2000 at 13:52:05 (-0400), Rich Salz wrote: ]
> Subject: Re: cvs-nserver and latest CVS advisory (Was: patch to make CVS chroot)
>
> Except that doing it right is not the trivial job that you have
> repeatedly said it is. CVS requires the local operating system to do
> all its authorization checks for it. That means that you have to map
> all remote users into a local identity.
... and so what's so hard about that? SSH does that for you in a
reasonably secure fashion (i.e. it prevents, or at least makes
pragmitically impossible, all known attacks between the client's
physical network interface and server's physical network interface, and
it makes it very difficult for any user on the server be unaccountable
for their actions).
> Or, you have to trust the
> server to (completely) mediate access the objects that it is serving
> up. But, there are times when this is not feasible (or even possible),
> and people do things like hack cvspasswd files, "triggers" in info
> scripts, etc.
If you mean "CVS" when you say "server" above then I would say that
though it's possible, it's wrong and redundant to do so. We haven't put
all this work into making the system secure just to have some ignorant
applications programmers subvert the entire works in one blow!
Maybe if CVS were merely a database and could be proven (or at least
give strong assurances) to never execute *any* code on behalf of the
client then there would be at least an ounce of an argument on the side
of including authorisation within it (just as some databases do).
Authentication issues may still be a separate issue though and that
brings us back to still having system-level identities....
As Tobias said, there's really only laziness to blame for not
implementing SSH in clients where it doesn't already exist in a fashion
suitable for use by a CVS client.
> As long as "all the world's a vax." Or, at least, in my passwd
> database...
SSH works on many platforms, and is apparently well enough specified
that it can be implemented independently and interoperably on any
capable platform. Same goes for SSL, and probably SRP too.
Unfortunately some operating systems don't provide the basic protections
necessary and even their owners can't always trust them sufficiently.
"Personal Computing" is a nightmare for all systems security
professionals.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
