[ On , August 9, 2000 at 23:25:59 (+0100), James Youngman wrote: ]
> Subject: Re: patch to make CVS chroot
>
> [EMAIL PROTECTED] (Greg A. Woods) writes:
>
> > If I had any say in sourceforge I'd encourage them to move read-only
> > anonymous access over to a separate non-trusted system that cannot write
> > to the live repositories (they could do this either with NFS and a
> > couple of tiny hacks, or with regular CVSup updates, etc.) and I'd
> > further encourage them to ditch cvspserver support entirely and set up
> > unique (i.e. per-project) anonymous SSH accounts for read-only access.
>
> What would be wrong with them running the anonymous access as a
> dedicated "nobody" user (i.e. no write access to anything in the
> repository) with the lockfiles written out into a separate directory
> tree?
The exploit posted to BUGTRAQ, along with probably a dozen more, or
perhaps even hundreds in a poorly concieved environment, which will give
shell access to the server....
It's best to assume that shell access is possible even while you do
everything you can to mitigate the risks that such access might pose.
Even reactive mechanisms, such as process accounting to watch for and
report anomalies in activity by this "anonymous" user will greatly
reduce the risks. However ultimately the only strong protection is to
completely isolate the anonymous access from the live repository.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
