[ On Thursday, January 8, 2004 at 10:52:53 (-0500), gdt@ir.bbn.com wrote: ]
> Subject: bin/24021: cvs(1) doesn't work with mode 770 repositories for secondary gids
>
> Remove -DSETXID_SUPPORT from /usr/src/gnu/usr.bin/cvs/Makefile.inc, or

Indeed.

SETXID_SUPPORT should not _EVER_ be defined when building CVS.

It's a deprecated and _DANGEROUS_ option and it IS NOT SUPPORTED.

Fixing whatever makes it not work as expected on NetBSD will not fix the
remaining major security problems with it.

It should never have been added and should have been removed entirely
from the CVS sources long ago, but it seems far too many of the current
CVS maintainers are still not well enough aware of the importance of
secure programming, and of course the rest of us are far too over-worked
to find the time to safely and cleanly remove such broken, but optional,
old code.

CVS is not, and by design cannot be, a security tool.

CVS can only be used safely by users who have already been authenticated
(and interconnected, if client/server is being used) by other secure
means.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>