Bug 49879 - cvs should be setuid root in dev-util/cvs
Bug#: 49879 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: scandium@gentoo.org Reported By: ryan@epicgames.com
Component: Applications
URL: 
Summary: cvs should be setuid root in dev-util/cvs
Keywords:  
Status Whiteboard: 
Opened: 2004-05-03 11:52 0000
Description:   Opened: 2004-05-03 11:52 0000 
Unless /usr/bin/cvs is setuid root, it can't change users, which makes it
unusable for serving multiple anonymous read-only clients.

 Details and discussion:
   http://mail.gnu.org/archive/html/info-cvs/2001-06/msg00071.html

cvs in portage works fine as-is for client usage.

--ryan.

------- Comment #1 From Ryan C. Gordon 2004-05-03 16:16:35 0000 ------- 
Wanted to follow up on this, and correct my report:

cvs gets installed into xinetd to run in pserver mode as user "cvs" and group "cvs". This breaks anonymous pserver access, since non-root binaries can't setuid() to a different user, which pserver does for security...in dropping root privs like this, it doesn't need to run as a "cvs" user in the first place.

However, setting the suid bit on /usr/bin/cvs so it runs as root breaks cvs-over-ssh in other strange ways. Details here:
    https://bugzilla.icculus.org/show_bug.cgi?id=1646

The solution appears to be running the pserver as root in xinetd (which lets it change users and drop privs), and NOT setting the suid bit on the binary (so users working over ssh get the right permissions...in this case, the cvs binary has to be run as the user that ssh'd into the server, and not root).

So I guess the actual bug solution is not tagging the binary as suid root, but instead:

 - change the xinetd entry for cvspserver to run as root, not the user "cvs".
 - Don't make the cvs user/group in the ebuild at all? I don't think it's necessary in light of this...?

Sorry for the misinformation in the original bug report, but the issue was a little deeper than I originally believed it to be.

Thanks,
--ryan.

------- Comment #2 From Rainer Größlinger 2004-05-07 04:27:57 0000 ------- 
Sorry, it took me some time to comment on this :)

I am currently looking for our cvs server admin, so that we can fix this issue for people who want to run a server for sure.

I hope to get this solved over the weekend.

------- Comment #3 From Rainer Größlinger 2004-05-22 16:25:42 0000 ------- 
I will attach proposed fixes for the ebuild/xinetd file soon.
Please review then :)

------- Comment #4 From Rainer Größlinger 2004-05-22 16:48:50 0000 ------- 
Created an attachment (id=31856) [details]
proposed changes for xinetd config

------- Comment #5 From Rainer Größlinger 2004-05-22 16:49:25 0000 ------- 
Created an attachment (id=31857) [details]
proposed changes for cvs-1.11.16-r1

------- Comment #6 From Rainer Größlinger 2004-05-22 16:50:01 0000 ------- 
The ebuild diff also contains the "doc" USE additions proposed by jmglov.

Sorry that I didn't seperate them :/

------- Comment #7 From Josh Glover (RETIRED) 2004-05-22 17:32:24 0000 ------- 
I have tested scandium's proposed changes, and I can get pserver working using
the normal methods. Go for it, scandium! :)

------- Comment #8 From Rainer Größlinger 2004-05-22 17:47:24 0000 ------- 
committed

------- Comment #9 From Ryan C. Gordon 2004-05-22 20:08:09 0000 ------- 
You guys rock, as usual.  :)

Thanks for your attention!

--ryan.