Bug 14463

Summary: cvs pserver does not work with out-of-the-box configuration
Product: Base System Reporter: timj <timj>
Component: confAssignee: Alexey Zelkin <phantom>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description timj 1999-10-23 14:47:18 UTC 
I installed the 3.3 distribution (on a P200 no-name machine) and 
wanted to install the cvs pserver. So I looked in the inetd.conf
file and found the following cvspserver lines. 
#
# CVS servers - for master CVS repositories only!
#
#cvspserver      stream  tcp     nowait  root    /usr/bin/cvs    cvs pserver
#cvs             stream  tcp     nowait  root    /usr/bin/cvs    cvs kserver


I uncommmented them, restarted inetd of course, but when I tried to log into 
the server, i get the following message after entering my password:

[timon:~]cvs login
(Logging in to timj@fizz.sfabrik.de)
CVS password: 
Server configuration missing --allow-root in inetd.conf
cvs [login aborted]: authorization failed: server fizz.sfabrik.de rejected access

The "Server configuration..." message seems to come from cvs. When I telnet to
the server, inetd accepts the TCP connection and I can talk to
CVS.

How-To-Repeat: Install FreeBSD, uncomment the inetd.conf lines.
Comment 1 nate 1999-10-23 17:07:10 UTC 
> >Number:         14463
> >Category:       conf
> >Synopsis:       cvs pserver does not work with out-of-the-box configuration
> >Confidential:   no
> >Severity:       non-critical
> >Priority:       low
> >Responsible:    freebsd-bugs
> >State:          ope
> >Quarter:        
> >Keywords:       
> >Date-Required:
> >Class:          change-request
> >Submitter-Id:   current-users
> >Arrival-Date:   Sat Oct 23 06:47:18 PDT 1999
> >Closed-Date:
> >Last-Modified:
> >Originator:     Tim Jansen
> >Release:        3.3
> >Organization:
> >Environment:
> FreeBSD fizz.systembureau.com 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999     jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC  i386
> 
> >Description:
> I installed the 3.3 distribution (on a P200 no-name machine) and 
> wanted to install the cvs pserver. So I looked in the inetd.conf
> file and found the following cvspserver lines. 
> #
> # CVS servers - for master CVS repositories only!
> #
> #cvspserver      stream  tcp     nowait  root    /usr/bin/cvs    cvs pserver
> #cvs             stream  tcp     nowait  root    /usr/bin/cvs    cvs kserver
> 
> 
> I uncommmented them, restarted inetd of course, but when I tried to log into 
> the server, i get the following message after entering my password:
> 
> [timon:~]cvs login
> (Logging in to timj@fizz.sfabrik.de)
> CVS password: 
> Server configuration missing --allow-root in inetd.conf
> cvs [login aborted]: authorization failed: server fizz.sfabrik.de rejected access
> 
> The "Server configuration..." message seems to come from cvs. When I telnet to
> the server, inetd accepts the TCP connection and I can talk to
> CVS. 

CVS needs to be configured correctly.  Note, *UNLESS* you know what you
are doing (and it takes a bit of work), 'pserver' mode becomes a trivial
way to break root on your box.

FreeBSD should *NOT* allow pserver mode to be setup out of the box if
security is at all a concern.

Please read the cvs man pages, as well as the security pages on
www.cylic.com to discuss the security issues.



Nate
Comment 2 Alexey Zelkin freebsd_committer freebsd_triage 1999-12-25 17:54:29 UTC 
State Changed
From-To: open->feedback

As Nate described you request can't be completed. Can I close PR ?
Comment 3 Alexey Zelkin freebsd_committer freebsd_triage 1999-12-25 17:54:29 UTC 
Responsible Changed
From-To: freebsd-bugs->phantom

I'll track response.
Comment 4 Alexey Zelkin freebsd_committer freebsd_triage 2000-04-24 12:50:32 UTC 
State Changed
From-To: feedback->closed

Fixed by peter in rev. 1.41