On Wed, Jun 11, 2003 at 12:47:44AM +0200, Steffen Dettmer wrote:
Well, for multiple purposes CVS uses temp files (probably in respect of $TEMP or so).
I'm especially astonished that the client allows access to absolute file/path names.
Yes, it is known that CVS offers access when giving write access to the repository. Check out possibilities of CVSROOT files,
As I wrote in my followup to my own post: The client does not try to actually access the file/directory outside the tree, so it looks like thing are ok after all and I just caused some unnecessary fuss :-(
there a couple of nice things an intruder could use! CVS should be used in "trusted environments" only I think.
Can you please explain a bit what you are meaning?
Of course you can use systems features to secure it a little (chroot with local r/o NFS mount for an unpriviledged user and so on).
I think you are talking about securing a CVS server - the client should not be allowed to write anywhere outside (aka closer to the root) its current directory - everything else would make me and probably many other people stop using the cvs client immediately. Ciao Jörg -- Joerg Mayer <jmayer@loplof.de> We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology.