Re: cvs problem

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On Jan 30, 2010, at 11:45 AM, Christos Zoulas wrote:

>> I noticed that change, too.  Frankly, it struck me as a really bad idea.
>> 
>> I think the only thing to do is to create the group and put yourself in
>> it.  Better yet, go into the source and delete the check; it's
>> preposterous.
>> 
>> From a security perspective, it's useless, since the cvs command is
>> unprivileged and hence can't really enforce any privileges; anyone who
>> wants can compile their own copy that deletes that gratuitous check.  It
>> assumes that there is only one permission domain for cvs repositories on
>> a system, which isn't necessarily true.  (I teach at a university; most
>> professors and grad students have their own repositories.  Why should we
>> all have to be in the same group?  What benefit is there to anyone?)
>> 
>> I assume that there was some purpose in mind for the check.  For the
>> life of me, I can't imagine what it was.
> 
> Think server-client. Do you think you can recompile/change the cvs binary
> one the server side? Yes, it does not make sense for the local only code...

Even for client-server, I'm not sure that that particular change makes much 
sense.  If nothing else -- and I think there are other reasons -- the problem 
is initializing a CVS repository, which is presumably done locally on the 
server side.  Even without that, if the cvs command is running in server mode 
it has to know it, in order to speak the proper over-the-wire protocol, which 
means that at the least it should do the check only if in server mode, not if 
invoked locally.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb