[MUD-Dev] Re: Ruminations on CVS and developing in the Bazaar

Tue Dec 1 16:30:55 CET 1998

On Mon, 30 Nov 1998 21:09:01 -0700 (MST) 
greear <greear at cyberhighway.net> wrote:

> On Mon, 30 Nov 1998, J C Lawrence wrote:

>> There are two levels to such trust:
>> 
>> 1) Trust them when accessing your machine (or whoever might gain
>> access to your machine via the account you give them).
...
>> #1 is a bitch, and one I am becoming intimately familiar with
>> under CVS.  The problem is that any given CVS user with write
>> access to the repository effectively has the ability to execute
>> arbitrary programs on your machine without your control.  This is
>> not something I'm happy with for Kanga.Nu (I'm paranoid).  After
>> a lot of beating about the bush and messing with SSH, and SSH
>> pipes in attempt to secure (more) the authentication end of CVS
>> (its pretty lightweight out of the box) with the idea of using
>> SSH to help limit the number of people who know or can get the
>> authentication data, I've finally given up.  SSH1 just can't make
>> port forwarded pipes to accounts which aren't login/shell
>> accounts (ideally I'd use an account with /bin/false for a shell,
>> a * password, and whose home directory is root.root with 0400
>> permissions) and I'm uncomfortable with the security of SSH2 as
>> well as its licensing restrictions.

> You don't have to give anyone an account on your machine.  

The account limitation is part of SSH1.  SSH2 doesn't have that
limitation -- it has different problems.

> (I think you know this, just pointing it out..)  You just map
> their account to the cvs-user account.

Even if you use aliases, they have to end up mapping to a valid
account on your CVS machine, and due to the way that CVS is put
together, once a person has CVS write access to your repository, you
can safely assume that they are able to execute arbitrary programs
under that User ID.  Worse, if they can compromise the pserver
(something that was not expressly architected for security) you can
probably also assume that they can execute arbitrary programs as
root.

I'm minorly willing to live with the fact that unknowns might be
able to compromise the pserver and thus compromise root on my
system.  Its a nasty fact, but its not something I can change
easily.  I am utterly unwilling to give unknowns the ability to
execute arbitrary programs on my servers.  All it takes in one yobbo
watching you type your password before next thing I know "cvs_user"
if off running `rm` and friends in unhealthy places.

> In the above example, there is no need to create the user 'ben',
> and there is no reason that the end user should know cvs_user's
> password.  Using this, other than the cvs commands, I'm not sure
> if you really can get into the box.  Of course, haven't tried too
> hard or read extensively on it...

Read the Cyclic pages, The basic summary: You are safe in assuming
that CVS users can execute arbitrary programs on your CVS host.  

Remember: CVS is *built* to run programs as part of its checkin and
checkout procedure.  It provides a vast number of opportunities for
compromise.

--
J C Lawrence                               Internet: claw at kanga.nu
(Contractor)                              Internet: coder at kanga.nu
---------(*)                     Internet: claw at under.engr.sgi.com
...Honourary Member of Clan McFud -- Teamer's Avenging Monolith...