From nobody@FreeBSD.ORG Fri Oct 22 10:40:22 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 02E5314E30; Fri, 22 Oct 1999 10:40:20 -0700 (PDT)
Message-Id: <19991022174020.02E5314E30@hub.freebsd.org>
Date: Fri, 22 Oct 1999 10:40:20 -0700 (PDT)
From: timj@systembureau.com
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: cvs pserver does not work with out-of-the-box configuration
X-Send-Pr-Version: www-1.0

>Number:         14463
>Category:       conf
>Synopsis:       cvs pserver does not work with out-of-the-box configuration
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    phantom
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 23 06:47:18 PDT 1999
>Closed-Date:    Mon Apr 24 04:50:32 PDT 2000
>Last-Modified:  Mon Apr 24 04:51:22 PDT 2000
>Originator:     Tim Jansen
>Release:        3.3
>Organization:
>Environment:
FreeBSD fizz.systembureau.com 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999     jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC  i386

>Description:
I installed the 3.3 distribution (on a P200 no-name machine) and 
wanted to install the cvs pserver. So I looked in the inetd.conf
file and found the following cvspserver lines. 
#
# CVS servers - for master CVS repositories only!
#
#cvspserver      stream  tcp     nowait  root    /usr/bin/cvs    cvs pserver
#cvs             stream  tcp     nowait  root    /usr/bin/cvs    cvs kserver


I uncommmented them, restarted inetd of course, but when I tried to log into 
the server, i get the following message after entering my password:

[timon:~]cvs login
(Logging in to timj@fizz.sfabrik.de)
CVS password: 
Server configuration missing --allow-root in inetd.conf
cvs [login aborted]: authorization failed: server fizz.sfabrik.de rejected access

The "Server configuration..." message seems to come from cvs. When I telnet to
the server, inetd accepts the TCP connection and I can talk to
CVS. 

>How-To-Repeat:
Install FreeBSD, uncomment the inetd.conf lines.
>Fix:


>Release-Note:
>Audit-Trail:

From: Nate Williams <nate@mt.sri.com>
To: timj@systembureau.com
Cc: freebsd-gnats-submit@FreeBSD.ORG
Subject: Re: conf/14463: cvs pserver does not work with out-of-the-box configuration
Date: Sat, 23 Oct 1999 10:07:10 -0600

 > >Number:         14463
 > >Category:       conf
 > >Synopsis:       cvs pserver does not work with out-of-the-box configuration
 > >Confidential:   no
 > >Severity:       non-critical
 > >Priority:       low
 > >Responsible:    freebsd-bugs
 > >State:          ope
 > >Quarter:        
 > >Keywords:       
 > >Date-Required:
 > >Class:          change-request
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Sat Oct 23 06:47:18 PDT 1999
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Tim Jansen
 > >Release:        3.3
 > >Organization:
 > >Environment:
 > FreeBSD fizz.systembureau.com 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999     jkh@highwing.cdrom.com:/usr/src/sys/compile/GENERIC  i386
 > 
 > >Description:
 > I installed the 3.3 distribution (on a P200 no-name machine) and 
 > wanted to install the cvs pserver. So I looked in the inetd.conf
 > file and found the following cvspserver lines. 
 > #
 > # CVS servers - for master CVS repositories only!
 > #
 > #cvspserver      stream  tcp     nowait  root    /usr/bin/cvs    cvs pserver
 > #cvs             stream  tcp     nowait  root    /usr/bin/cvs    cvs kserver
 > 
 > 
 > I uncommmented them, restarted inetd of course, but when I tried to log into 
 > the server, i get the following message after entering my password:
 > 
 > [timon:~]cvs login
 > (Logging in to timj@fizz.sfabrik.de)
 > CVS password: 
 > Server configuration missing --allow-root in inetd.conf
 > cvs [login aborted]: authorization failed: server fizz.sfabrik.de rejected access
 > 
 > The "Server configuration..." message seems to come from cvs. When I telnet to
 > the server, inetd accepts the TCP connection and I can talk to
 > CVS. 
 
 CVS needs to be configured correctly.  Note, *UNLESS* you know what you
 are doing (and it takes a bit of work), 'pserver' mode becomes a trivial
 way to break root on your box.
 
 FreeBSD should *NOT* allow pserver mode to be setup out of the box if
 security is at all a concern.
 
 Please read the cvs man pages, as well as the security pages on
 www.cylic.com to discuss the security issues.
 
 
 
 Nate
 
State-Changed-From-To: open->feedback 
State-Changed-By: phantom 
State-Changed-When: Sat Dec 25 09:54:29 PST 1999 
State-Changed-Why:  
As Nate described you request can't be completed. Can I close PR ? 


Responsible-Changed-From-To: freebsd-bugs->phantom 
Responsible-Changed-By: phantom 
Responsible-Changed-When: Sat Dec 25 09:54:29 PST 1999 
Responsible-Changed-Why:  
I'll track response. 
State-Changed-From-To: feedback->closed 
State-Changed-By: phantom 
State-Changed-When: Mon Apr 24 04:50:32 PDT 2000 
State-Changed-Why:  
Fixed by peter in rev. 1.41 
>Unformatted:
