lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200408051252.10109.krustev@krustev.net>
Date: Thu, 5 Aug 2004 12:52:10 +0300
From: Delian Krustev <krustev@...stev.net>
To: bugtraq@...urityfocus.com
Cc: "Greg A. Woods" <woods@...rd.com>
Subject: Re: CVS woes: .cvspass


On Wednesday 04 August 2004 23:35, Greg A. Woods wrote:
> Nope, sorry, but that's just not possible, at least not with CVS pserver.

What's not possible ? Using IPSEC ?!

> The unix security model, within which CVS is designed and implemented to
> work, _requires_ unique user-IDs for each and every unique human user.
>
> This is in fact a basic, fundamental, requirement of all systems of this
> type.
>

I'm not sure what You mean by "human user". The users in cvs doesn't have
to be mapped to system users(CVSROOT/passwd).

> CVS is not, and cannot be, a security tool so running it as root and
> pretending to have it do all your authentication and authorisation flies
> directly in the face of the underlying system security model and leaves
> you with no real and verifiable accountability whatsoever, and it also
> leaves you open to the possibility of yet another vulnerability vector
> in the form of the unaudited CVS code base.  Remember that the vast
> majority of all security incidents originate internally to the
> organisations they affect.

You're right CVS is not a security tool. It's a version control system.
In fact, what You are talking about ? Do You remember what the subject
of the post You're replying to was ?

[snip]

> If you think your network is secure enough courtesy other mechanisms
> then you can use RSH instead of SSH, but DO NOT try to use cvspserver
> for anything but totally anonymous access.

There's a site outhere. It's sf.net . They demonstrate, with the number
of projects being hosted there (with pserver access), You're not right
again.

The cvs server doesn't have to be run as root. IMHO it's pretty bad
idea to run it as root. Furthermore cvs provides several hooks, which
could be utilized if you need control at certain points and over
certain operations. E.g. commiters could be controlled by module and
branch.

About the password scrambling. It's well documented why it's like
that. The scrambling algorithm is also described. And it's all there.
In the manual. 
S.O. said that fake security is worse than no security. Password 
encryption in .cvspass should be considered "no security".


On the other side, people's stupidity is endless. I won't be surprised
to see private keys posted in a public forum. This, ofcourse, could
be nothing but a reason for admiration.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ