Re: Webserver CVS (In)Security

> A lot of people use CVS to manage their web content. It's a great way to
> keep track of changes, and makes updating and rollbacks a very easy
> thing to do.

...

> When I finally decided to manage my web content with CVS, I noticed
> something about the directory layout (after running a `cvs up`) of my
> website; there were a bunch of CVS directories with files in them. I
> always knew they were there when working with CVS (those files are the
> way CVS keeps track of versions and what not), but I never paid any mind
> to them.. until today.

I use CVS to manage many of my web sites too, however the website is rsync'd from the checked out CVS version. I use the '-C' flag (--cvs-exclude) to automatically not upload any CVS-related files. From the man page:

   This is a useful shorthand for excluding a broad range of    files that you often don´t want to transfer between    systems. It uses the same algorithm that CVS uses to    determine if a file should be ignored.

   The exclude list is initialized to:

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

   RCS SCCS CVS CVS.adm RCSLOG cvslog.* tags TAGS .make.state    .nse_depinfo *~ #* .#* ,* *.old *.bak *.BAK *.orig *.rej .del-*    *.a *.o *.obj *.so *.Z *.elc *.ln core

   then files listed in a $HOME/.cvsignore are added to the    list and any files listed in the CVSIGNORE environment    variable (space delimited).

   Finally, any file is ignored if it is in the same    directory as a .cvsignore file and matches one of the    patterns listed therein. See the cvs(1) manual for more    information.

This prevents all those sensative files from being published, not just those that are in the CVS directory.

If it's just the CVS directory you're worried about, you could configure apache to deny these using a <files CVS> option in your httpd.conf.

--
Brian Hatch                  I used to work in a
   Systems and                blanket factory,
   Security Engineer          but it folded.
www.hackinglinuxexposed.com

Every message PGP signed