Network services - CVS

 

CVS allows multiple developers to work together on large source code projects and maintain a large code base in a somewhat sane manner. CVS's internal security mechanisms are rather simple on their own; in fact some would say weak, and I would have to agree. CVS's authentication is typically achieved over the network using pserver, usernames are sent in clear text, and passwords are trivially hashed (no security really). 

To get around this you have several good options. In a Unix environment probably the simplest method is to use SSH to tunnel connections between the client machines and the server. "Tim TimeWaster" (Tim Hemel, one of the Final Scratch guys) has written an excellent page covering this at: http://cuba.xs4all.nl/~tim/scvs/. A somewhat more complicated approach (but better in the long run for large installations) is to kerberize the CVS server and clients. 

Typically large networks (especially in university environments) already have an established Kerberos infrastructure. Details on kerberizing CVS are available at: http://www.cyclic.com/cyclic-pages/security.html. Apart from that I would strongly urge firewalling CVS unless you are using it for some public purpose (such as an open source project across the Internet). 

Another tool for securing CVS that just appeared is “cvsd”, a wrapper for pserver that chroot’s and/or suid’s the pserver to a harmless user. cvsd is available at: http://cblack.mokey.com/cvsd/ in rpm format and a source tarball.

There are other less obvious concerns you should be aware of, when dealing with source code you should be very to ensure no Trojan horses or backdoors are allowed into the code. In an open source project this is relatively simple, review the code people submit, especially if it is a publicly accessible effort, such as the Mozilla project. Other concerns might be destruction of the source code, make sure you have backups. CVS uses port 2401, tcp.

ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 2401
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 2401
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 2401

or

ipchains -A input -p tcp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 2401
ipchains -A input -p tcp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 2401
ipchains -A input -p tcp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 2401

Back

Security Portal

Written by Kurt Seifried