Config file etc xinetd d cvspserver needs updating

Today, I tried to set it up with but some security issues raised that i didn't solve it yet, but this setting should work very fine if u're not paranoid with security Here are the steps I used to setup my cvs server : 1) Login as root and create a user/group cvs/cvs.

Q: I am not a system administrator; what do I care about an inetd replacement ? Anybody can use it to start servers that don't require privileged ports because xinetd does not require that the services in its configuration file be listed in /etc/services.

config, readers, writers have to be versionned, so first we checkout module CVSROOT : cvs -d /var/home/cvs/repository co CVSROOT cvs server: Updating CVSROOT U CVSROOT/checkoutlist U CVSROOT/commitinfo U CVSROOT/config U CVSROOT/cvswrappers U CVSROOT/editinfo U CVSROOT/loginfo U CVSROOT/modules U CVSROOT/notify U CVSROOT/rcsinfo U CVSROOT/taginfo U CVSROOT/verifymsg cvs -d /var/home/cvs/repository add readers writers cvs server: scheduling file `readers' for addition cvs server: scheduling file `writers' for addition cvs server: use 'cvs commit' to add these files permanently / ) who has write access to repository can checkout CVSROOT and add entries in that files to execute a malicious program and gain access to private ressources in the system !!! So, I decided to re-enforce security by creating another unix group ( cvs server: Updating CVSROOT U CVSROOT/checkoutlist U CVSROOT/commitinfo U CVSROOT/config U CVSROOT/cvswrappers U CVSROOT/editinfo U CVSROOT/loginfo U CVSROOT/modules U CVSROOT/notify U CVSROOT/rcsinfo U CVSROOT/readers U CVSROOT/taginfo U CVSROOT/verifymsg U CVSROOT/writers Then, you would ask me: What's ur problem dreambox, everything is working fine , but then I would ask u to try to import a directory as user who has read/write access to repository ( james o dreambox ) : Something I don't understand : xinetd is running as root.

When xinetd receives a login request it creates a cvs process with usercvs uid, right?

Users in readers file are only allowed to read repository.

Users in writers are allowed to read/write in repository.

868

Leave a Reply