Subject: Re: Question regarding to set up an AnonCVS mirror
To: Viktor Holmlund <viktor@netbsd.se>
From: Manuel Bouyer <bouyer@antioche.eu.org>
List: netbsd-users
Date: 03/11/2007 10:46:23
On Fri, Mar 09, 2007 at 01:43:13PM +0100, Viktor Holmlund wrote:
> God morning,
> 
> I'm a bit muddle-headed about the LockDirs thing, read-only repositories
> don't use locks.
> It's quite possible but I can't get things to work unless I set LockDir to
> a writeable directory in CVSROOT/config.
> ...
> After some minutes I tested to use the '-u' flag in cvs (cvs -u server),
> it seems to work without any LockDirs set in CVSROOT/config, but what I
> can see its a security problem. Users can checkout dirs/files behind
> /cvsroot, e.g:
> 
> (export :/ intestead of :/cvsroot)
> 
> >export CVSROOT=anoncvs@anoncvs.netbsd.org:/
> >export CVS_RSH=ssh
> >cvs co -PA etc
> cvs checkout: Updating etc
> cvs checkout: Updating etc/pam.d
> cvs checkout: Updating etc/systrace
> >
> 
> I compared this with the openbsd anoncvs mirror and got this results:
> 
> >export CVSROOT=anoncvs@anoncvs.openbsd.org:/
> >export CVS_RSH=ssh
> >cvs co -PA etc
> Cannot access //CVSROOT
> No such file or directory

I suspect it's because of chroot tricks. anoncvs on anoncvs.netbsd.org
is most probably chrooted, and it's possible that cvsroot is a link to /
in the chroot. You're probably getting the /etc of the chroot here.

You can compare this with anoncvs.fr.netbsd.org, where anoncvs also runs
chrooted; here I suspect you'll get the same result as the openbsd one
(I'm offline right now so I can't test)

-- 
Manuel Bouyer <bouyer@antioche.eu.org>
     NetBSD: 26 ans d'experience feront toujours la difference
--