savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[sr #110993] Cvs.pm: bad cvs permission setup

From: Jing Luo
Subject: [sr #110993] Cvs.pm: bad cvs permission setup
Date: Tue, 26 Dec 2023 08:00:54 -0500 (EST) 
URL:
  <https://savannah.nongnu.org/support/?110993>

                 Summary: Cvs.pm: bad cvs permission setup
                   Group: Savannah Administration
               Submitter: jing
               Submitted: Tue 26 Dec 2023 10:00:52 PM JST
                Category: Savane
                Priority: 5 - Normal
                Severity: 5 - Blocker
                  Status: None
             Assigned to: None
        Originator Email: 
        Operating System: None
             Open/Closed: Open
         Discussion Lock: Any


    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: Tue 26 Dec 2023 10:00:52 PM JST By: Jing Luo <jing>
Hi,

Cvs.pm has one line in sub setup_cvs_permissions:

  # Seal CVSROOT dir; 2775 on the top dir allows group members
  # with local access to rename CVSROOT and replace it with
  # their own.
  system ('chmod', '-R', 'a-w', "$dir_cvs/CVSROOT/");

This will cause the CVSROOT to be read only, effectively cancelling all
previous permission setup. The symptom includes cvs history not writable when
committing:

> cvs commit: warning: cannot open history file `$dir_cvs/CVSROOT/history' for
write: Permission denied

The comment mentions "2775 on the top dir allows group members with local
access to rename CVSROOT and replace it with their own", which is not true,
because we already have this in sub make_cvs_directory:

  # Make the CVSROOT ro for anybody; doing otherwise is a major security
hole:
  # ancient versions of pserver, if ran as root, can be set to give root
  # access using the CVSROOT/passwd file; you also basically give local
  # access if you allow people to modify the hooks.
  system ('chown', '-R', 'root:root', "$dir_cvs/CVSROOT");
  system ('chmod', '755', "$dir_cvs/CVSROOT");

So, the solution would be either delete the line "system ('chmod', '-R',
'a-w', "$dir_cvs/CVSROOT/");" completely, or remove "-R" option.








    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/support/?110993>

_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]