From cmjg@tribble.ilrt.bris.ac.uk  Thu Apr  5 03:02:48 2001
Return-Path: <cmjg@tribble.ilrt.bris.ac.uk>
Received: from tribble.ilrt.bris.ac.uk (tribble.ilrt.bris.ac.uk [137.222.34.34])
	by hub.freebsd.org (Postfix) with ESMTP id C6E2237B424
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  5 Apr 2001 03:02:47 -0700 (PDT)
	(envelope-from cmjg@tribble.ilrt.bris.ac.uk)
Received: (from cmjg@localhost)
	by tribble.ilrt.bris.ac.uk (8.11.3/8.11.3) id f35A2dv49999;
	Thu, 5 Apr 2001 11:02:39 +0100 (BST)
	(envelope-from cmjg)
Message-Id: <200104051002.f35A2dv49999@tribble.ilrt.bris.ac.uk>
Date: Thu, 5 Apr 2001 11:02:39 +0100 (BST)
From: jan.grant@bristol.ac.uk
Reply-To: jan.grant@bristol.ac.uk
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: "cvs server" doesn't honour the global --allow-root
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         26362
>Category:       gnu
>Synopsis:       "cvs server" doesn't honour the global --allow-root
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 05 03:10:01 PDT 2001
>Closed-Date:    Fri Nov 02 20:41:45 UTC 2012
>Last-Modified:  Fri Nov 02 20:41:45 UTC 2012
>Originator:     jan grant
>Release:        FreeBSD 4.3-RC i386
>Organization:
ILRT, University of Bristol
>Environment:
System: FreeBSD tribble.ilrt.bris.ac.uk 4.3-RC FreeBSD 4.3-RC #0: Tue Apr 3 12:19:35 BST 2001 cmjg@tribble.ilrt.bris.ac.uk:/external/usr.obj/usr/src/sys/JAN i386
GENERIC kernel (+ sound support) - not that it matters.
Stock CVS from a buildworld.

>Description:
I was surprised to find that "cvs --allow-root=/blah server" doesn't honour
the global flag.
This is a shame since I'm trying to get secure ssh-based access to CVS,
using sshd's 'command="cvs --allow-root=/blah server"' in
~/.ssh/authorized_keys2 - this seems to be the standard way to get ssh access
to CVS.
(Summary of setup at http://ioctl.org/unix/cvs/server )
>How-To-Repeat:
Just try it.
>Fix:
*** src/cvs.h.orig	Mon Apr  2 15:37:18 2001
--- src/cvs.h	Mon Apr  2 15:37:46 2001
***************
*** 463,468 ****
--- 463,469 ----
  void root_allow_add PROTO ((char *));
  void root_allow_free PROTO ((void));
  int root_allow_ok PROTO ((char *));
+ int root_allow_ok_or_unspecified PROTO ((char *));
  
  char *gca PROTO((const char *rev1, const char *rev2));
  extern void check_numeric PROTO ((const char *, int, char **));
*** src/root.c.orig	Mon Apr  2 15:36:56 2001
--- src/root.c	Mon Apr  2 15:38:27 2001
***************
*** 265,270 ****
--- 265,284 ----
      return 0;
  }
  
+ int
+ root_allow_ok_or_unspecified (arg)
+     char *arg;
+ {
+     int i;
+ 
+     if (root_allow_count == 0) return 1;
+ 
+     for (i = 0; i < root_allow_count; ++i)
+ 	if (strcmp (root_allow_vector[i], arg) == 0)
+ 	    return 1;
+     return 0;
+ }
+ 
  /* This global variable holds the global -d option.  It is NULL if -d
     was not used, which means that we must get the CVSroot information
     from the CVSROOT environment variable or from a CVS/Root file.  */
*** src/server.c.orig	Mon Apr  2 15:35:54 2001
--- src/server.c	Mon Apr  2 15:47:43 2001
***************
*** 794,799 ****
--- 794,812 ----
  	}
      }
  #endif
+     if (!root_allow_ok_or_unspecified(arg)) {
+ 	if (alloc_pending (80 + strlen (arg)))
+ 	     /* If cvs server was run with --allow-root, we ensure
+ 		that the root given is a valid one.
+ 		Useful for using :ext: communication to
+ 		a cvs server via ssh with
+ 		    Command "cvs --allow-root=/blah server"
+ 		in the ssh config. */
+ 		sprintf (pending_error_text, "\
+ E Protocol error: Root cannot be \"%s\"",
+ 			 arg);
+ 	return;
+     }
      set_local_cvsroot (arg);
  
      /* For pserver, this will already have happened, and the call will do
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: phantom 
State-Changed-When: Tue May 29 07:28:47 PDT 2001 
State-Changed-Why:  
This is not FreeBSD problem. FreeBSD is using externally maintained 
cvs sources. Please submit patch to cvs maintainers and it will 
go to src/ tree with next contrib/cvs import. 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=26362 
State-Changed-From-To: feedback->analyzed 
State-Changed-By: ashp 
State-Changed-When: Wed Jan 16 16:44:29 PST 2002 
State-Changed-Why:  
This PR was analyzed, and is awaiting an upstream fix. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=26362 
State-Changed-From-To: analyzed->suspended 
State-Changed-By: eadler 
State-Changed-When: Thu Feb 24 08:13:50 EST 2011 
State-Changed-Why:  
Suspended awaiting patches and/or upstream fix 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26362 
State-Changed-From-To: suspended->closed 
State-Changed-By: eadler 
State-Changed-When: Fri Nov 2 20:41:44 UTC 2012 
State-Changed-Why:  
we shall not be importing future veriosn of CVS nor we will be 
maintaining CVS so close this PR 

http://www.freebsd.org/cgi/query-pr.cgi?pr=26362 
>Unformatted:
