netbsd-bugs: bin/23471: cvs pserver always run as root

Subject: bin/23471: cvs pserver always run as root
To: None <gnats-bugs@gnats.netbsd.org>
From: None <smi@sm.sony.co.jp>
List: netbsd-bugs
Date: 11/18/2003 12:48:03
>Number:         23471
>Category:       bin
>Synopsis:       cvs pserver always run as root
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Nov 18 03:49:00 UTC 2003
>Closed-Date:
>Last-Modified:
>Originator:     Shoichi Miyake
>Release:        NetBSD 1.6ZC, ZE
>Organization:
Sony Corporation
>Environment:
	
	
System: NetBSD skysensor 1.6ZC NetBSD 1.6ZC (GENERIC) #7: Tue Sep 30 21:10:18 JST 2003 smi@nbx1:/work/nb/arch/i386/obj/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:
	netbsd-1.6ZE cvs server invoked through pserver runs always as
root, which is differ form the behaviour of the one of 1.6U and
before, also differ from the behaviour of the one invoked through
rsh/ssh.
	By commiting a change thurough recent pserver, *,v file owner
is set to root, not the uid logged in on pserver.
>How-To-Repeat:
(1)	Add cvspserver in inetd.conf and restart inetd. (Assuming cvs repository is already exist)
cvspserver      stream  tcp     nowait  root    /usr/bin/cvs    cvs --allow-root=/work/cvsroot pserver
(2)	login pserver
% cvs -d :pserver:user@cvs.my.domain:/work/cvsroot login
Password: xxxxxxx
(3)	checkout sources
% cvs -d :pserver:user@cvs.my.domain:/work/cvsroot co -P
(4)	Top on cvs server and confirm cvs is running as root.
(5)	change source and commit
(6)	check owner of (5)'s ,v file, the owner is not 'user', but
changed to root.
(7)	If loginfo is changed to produce a mail(using mail, sendmail,
and so on), the 'From' is set to root.
(*)	In (1), if you login as normal user and su'ed to become root,
(6)'s owner and (7)'s 'From' address seems to become the original
normal user (maybe..)
>Fix:
As christos@zoulas.com said, I turned off -DSETXID_SUPPORT out of
gnu/usr.bin/cvs/Makefile.inc and re-compiled cvs. And now I can use
cvspserver as before 1.6U.

> > It does not sound like your fault. Try recompiling cvs with the SETID
> > stuff turned off.
> 
> I turned off -DSETXID_SUPPORT in gnu/usr.bin/cvs/Makefile.inc, and
> rebuilt cvs, to find my problem may be solved!
>Release-Note:
>Audit-Trail:
>Unformatted: