49879 2004-05-03 11:52 0000 cvs should be setuid root in dev-util/cvs 2004-05-22 20:08:09 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED P2 normal --- 1 ryan@epicgames.com scandium@gentoo.org jmglov@gentoo.org ryan@epicgames.com 2004-05-03 11:52:37 0000 Unless /usr/bin/cvs is setuid root, it can't change users, which makes it unusable for serving multiple anonymous read-only clients. Details and discussion: http://mail.gnu.org/archive/html/info-cvs/2001-06/msg00071.html cvs in portage works fine as-is for client usage. --ryan. ryan@epicgames.com 2004-05-03 16:16:35 0000 Wanted to follow up on this, and correct my report: cvs gets installed into xinetd to run in pserver mode as user "cvs" and group "cvs". This breaks anonymous pserver access, since non-root binaries can't setuid() to a different user, which pserver does for security...in dropping root privs like this, it doesn't need to run as a "cvs" user in the first place. However, setting the suid bit on /usr/bin/cvs so it runs as root breaks cvs-over-ssh in other strange ways. Details here: https://bugzilla.icculus.org/show_bug.cgi?id=1646 The solution appears to be running the pserver as root in xinetd (which lets it change users and drop privs), and NOT setting the suid bit on the binary (so users working over ssh get the right permissions...in this case, the cvs binary has to be run as the user that ssh'd into the server, and not root). So I guess the actual bug solution is not tagging the binary as suid root, but instead: - change the xinetd entry for cvspserver to run as root, not the user "cvs". - Don't make the cvs user/group in the ebuild at all? I don't think it's necessary in light of this...? Sorry for the misinformation in the original bug report, but the issue was a little deeper than I originally believed it to be. Thanks, --ryan. scandium@gentoo.org 2004-05-07 04:27:57 0000 Sorry, it took me some time to comment on this :) I am currently looking for our cvs server admin, so that we can fix this issue for people who want to run a server for sure. I hope to get this solved over the weekend. scandium@gentoo.org 2004-05-22 16:25:42 0000 I will attach proposed fixes for the ebuild/xinetd file soon. Please review then :) scandium@gentoo.org 2004-05-22 16:48:50 0000 Created an attachment (id=31856) proposed changes for xinetd config scandium@gentoo.org 2004-05-22 16:49:25 0000 Created an attachment (id=31857) proposed changes for cvs-1.11.16-r1 scandium@gentoo.org 2004-05-22 16:50:01 0000 The ebuild diff also contains the "doc" USE additions proposed by jmglov. Sorry that I didn't seperate them :/ jmglov@gentoo.org 2004-05-22 17:32:24 0000 I have tested scandium's proposed changes, and I can get pserver working using the normal methods. Go for it, scandium! :) scandium@gentoo.org 2004-05-22 17:47:24 0000 committed ryan@epicgames.com 2004-05-22 20:08:09 0000 You guys rock, as usual. :) Thanks for your attention! --ryan. 31856 2004-05-22 16:48 0000 proposed changes for xinetd config cvspserver.xinetd.d.diff text/plain Niw3YzYKPCAJdXNlcgkJPSBjdnMKPCAJZ3JvdXAJCT0gY3ZzCi0tLQo+IAl1c2VyCQk9IHJvb3QK 31857 2004-05-22 16:49 0000 proposed changes for cvs-1.11.16-r1 cvs-1.11.16.ebuild.diff text/plain OWM5LDEyCjwgU1JDX1VSST0iaHR0cDovL2Z0cC5jdnNob21lLm9yZy9yZWxlYXNlL3N0YWJsZS8k e1B9LyR7UH0udGFyLmJ6MiIKLS0tCj4gU1JDX1VSST0iaHR0cDovL2Z0cC5jdnNob21lLm9yZy9y ZWxlYXNlL3N0YWJsZS8ke1B9LyR7UH0udGFyLmJ6Mgo+IAlkb2M/ICggaHR0cDovL2Z0cC5jdnNo b21lLm9yZy9yZWxlYXNlL3N0YWJsZS8ke1B9L2NlZGVycXZpc3QtJHtQVn0uaHRtbC50YXIuYnoy Cj4gCQlodHRwOi8vZnRwLmN2c2hvbWUub3JnL3JlbGVhc2Uvc3RhYmxlLyR7UH0vY2VkZXJxdmlz dC0ke1BWfS5wZGYKPiAJCWh0dHA6Ly9mdHAuY3ZzaG9tZS5vcmcvcmVsZWFzZS9zdGFibGUvJHtQ fS9jZWRlcnF2aXN0LSR7UFZ9LnBzICkiCjEzYzE2CjwgS0VZV09SRFM9Ing4NiBwcGMgc3BhcmMg bWlwcyBhbHBoYSB+YXJtIGhwcGEgYW1kNjQgfmlhNjQgfnBwYzY0IHMzOTAiCi0tLQo+IEtFWVdP UkRTPSJ+eDg2IH5wcGMgfnNwYXJjIH5taXBzIH5hbHBoYSB+YXJtIH5ocHBhIH5hbWQ2NCB+aWE2 NCB+cHBjNjQgfnMzOTAiCjE1YzE4CjwgSVVTRT0iZW1hY3MiCi0tLQo+IElVU0U9ImRvYyBlbWFj cyIKMjEsMjVkMjMKPCBwa2dfc2V0dXAoKSB7CjwgCWVuZXdncm91cCBjdnMKPCAJZW5ld3VzZXIg Y3ZzIC0xIC9iaW4vZmFsc2UgL3Zhci9jdnNyb290IGN2cwo8IH0KPCAKMzYsMzdkMzMKPCAJa2Vl cGRpciAvdmFyL2N2c3Jvb3QKPCAKNDZhNDMsNTEKPiAKPiAJaWYgdXNlIGRvYzsgdGhlbgo+IAkJ ZG9kb2MgJHtESVNURElSfS9jZWRlcnF2aXN0LSR7UFZ9LnBkZgo+IAkJZG9kb2MgJHtESVNURElS fS9jZWRlcnF2aXN0LSR7UFZ9LnBzCj4gCQl0YXIgeGpmICR7RElTVERJUn0vY2VkZXJxdmlzdC0k e1BWfS5odG1sLnRhci5iejIKPiAJCWRvaHRtbCAtciBjZWRlcnF2aXN0LSR7UFZ9Lmh0bWwvKgo+ IAkJY2QgJHtEfS91c3Ivc2hhcmUvZG9jLyR7UEZ9L2h0bWwvCj4gCQlsbiAtcyBjdnMuaHRtbCBp bmRleC5odG1sCj4gCWZpCjQ3YTUzCj4gCg==