Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cvs + xinetd setgid problem

Dan Barrett <nullpointer at> writes:

> On Tuesday 24 February 2004 14:02, Derek Atkins wrote:
>> Why are you even trying to use 'pserver' for write operations?  That's
>> a security hole waiting to bit you in the rear.  
> Even when it's bound to the loopback device on an iptable'd box with NO open 
> ports, sitting behind a separate firewall which also permits no inbound 
> connection attempts?  I'm not overly worried.

You should be.  There have been numerous security flaws in the
pserver implementation allowing users to gain shell access
(and from there ROOT access).  Firewalls do you no good if an
attacker can still connect to a broken service.

And besides, what's the point of using pserver on a loopback device?
Just 'cvs -d /path/to/cvsroot' and be done with it.

       Derek Atkins                 617-623-3745
       derek at   
       Computer and Internet Security Consultant

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /