cvs + xinetd setgid problem
Derek Atkins
derek at ihtfp.com
Tue Feb 24 14:49:33 EST 2004
Dan Barrett <nullpointer at pobox.com> writes:
> On Tuesday 24 February 2004 14:02, Derek Atkins wrote:
>> Why are you even trying to use 'pserver' for write operations? That's
>> a security hole waiting to bit you in the rear.
>
> Even when it's bound to the loopback device on an iptable'd box with NO open
> ports, sitting behind a separate firewall which also permits no inbound
> connection attempts? I'm not overly worried.
You should be. There have been numerous security flaws in the
pserver implementation allowing users to gain shell access
(and from there ROOT access). Firewalls do you no good if an
attacker can still connect to a broken service.
And besides, what's the point of using pserver on a loopback device?
Just 'cvs -d /path/to/cvsroot' and be done with it.
-derek
--
Derek Atkins 617-623-3745
derek at ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
More information about the Discuss
mailing list