#13 security alert, cvs admin command

closed-fixed
nobody
None
5
2004-11-26
2004-09-10
No

Security Alert:
in cvs (please read manual):
adding the group "cvsadmin" in /etc/group, only primary
or secondary members of this group are granted to
perfom cvs admin commands. With this
command its is possible to destroy data, e.g. revisions
without any recovery or change the type of a file (-kb
to -kkv).

in cvacl, granting write permission, its is possible to
execute cvs admin commands, there is no control for it.
This feature should only granted to the administrator (p)
or a special permission for cvs admin must be created.

In aclconfig is set:
UseSystemGroups=yes
commented out is #CVSGroupsFileLocation=xxx

Discussion

  • Wilfried Brunken

    Logged In: YES
    user_id=69405

    Hello,
    thinking about this bug, i suggest to add more permissions
    to the existing permission list "nrwtcdap" for better
    representation
    of the role in an software development team and a better
    handling for the permission administrator:

    u (user) : the software developper, get the permissions "rwcd"

    i (integrator) : the integrator is reponsible for testing and
    delivery of a software release. He must tag,
    so he get the permissions "rwtcd"

    a : (administrator) : renaming this permission from "access"
    to "administrator" he gots all the permission as "access"
    (i = rwtcd) an has the permission to do cvs admin
    subcommands.
    (i say a "small" admin, because the full administrator "p" has
    any permission)

    The Effect: the p-admin needs only one letter for setting a
    permission for a user.

    I hope, the new permission list ist good !

    Many thanks and sorry my bad english.

     
  • sbaris

    sbaris - 2004-11-26
    • status: open --> closed-fixed
     
  • sbaris

    sbaris - 2004-11-26

    Logged In: YES
    user_id=684123

    admin command is controlled by "a" permission in cvsacl-1.2.2
    Thank you.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks