[cvsnt] ACLs, permissions, readers/writers, etc

Tony Hoyle tmh at nodomain.org
Tue Aug 24 16:24:27 BST 2004


Aidan Corey wrote:

> If you are going down this route (making CVSNT secure against attackers who
> have commit access to CVSROOT), don't you need to prevent things like
> commitinfo and historyinfo (and any filters they might call) going into
> checkoutlist?  An attacker could write a historyinfo filter that silently
> tries to add them to the admin file.

True, but then any security is better than none at all....  one of the 
reasons to prevent things like passwd and admin from being in 
checkoutlist is to stop people with only read access to CVSROOT gaining 
enough information to compromise the repository (by knowing who the 
administrator accounts are, for example, or in extreme cases, the 
contents of the passwd file).  It also stops new admins making basic 
mistakes with checkoutlist.

Setting the NTFS permissions on admin, group and passwd so that nobody 
can write to them except very special users would prevent this also.  Of 
course it'd also break 'cvs passwd' if you weren't one of those users... 
a compromise of security over convenience that's up to the individual 
admins.

In general once someone gets commit rights to CVSROOT it's game over for 
repository security really (even if you have a chroot without libraries 
there are ways to execute a statically linked file - however in that 
case they wouldn't get any further access of course), which is why I 
suggested locking it down so nobody could even read it.

>>If you set an ACL so that nobody but administrators can even checkout
>>CVSROOT then it'll still work and be safe - the server itself accesses
>>the files directly so doesn't need read access via that mechanism.
> 
> 
> Are history and val-tags still exceptions to this
> (http://www.cvsnt.org/wiki/SetAcl)?  Or are you suggesting a CVSNT ACL rather
> than an NTFS ACL here?
>
A CVSNT ACL is easier as you don't need any special filesystem 
permissions.  A future version of CVSNT will add such an ACL 
automatically on cvs init.

Tony



More information about the cvsnt mailing list