[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[BUG] svn:executable has bad security implications.

From: Ben Reser <ben_at_reser.org>
Date: 2004-03-09 21:35:04 CET

svn will take and set svn:executable if a file has an executable bit
set. When svn:executable is set subversion will turn on all executable
permission bits (a+x) ignoring the umask.

$ umask 0077
$ svnadmin create repo
$ svn co file://`pwd`/repo wc
Checked out revision 0.
$ cd wc
$ touch a
$ chmod 700 a
$ ls -l a
-rwx------ 1 breser breser 0 Mar 9 12:13 a*
$ svn add a
A a
$ ls -l a
-rwx--x--x 1 breser breser 0 Mar 9 12:13 a*
$ chmod go= a
$ ls -l a
-rwx------ 1 breser breser 0 Mar 9 12:13 a*
$ svn commit -m 'test'
Adding a
Transmitting file data .
Committed revision 1.
$ ls -l a
-rwx--x--x 1 breser breser 0 Mar 9 12:13 a*
$ chmod go= a
$ ls -l a
-rwx------ 1 breser breser 0 Mar 9 12:13 a*
$ svn up -r0
D a
Updated to revision 0.
$ svn up -r1
A a
Updated to revision 1.
$ ls -l
total 0
-rwx--x--x 1 breser breser 0 Mar 9 12:17 a*

If a exeuctable is set +x (as long as it isn't a shell script) then you
can execute it even without read permission. Which you may not want to
allow to do on some systems.

Unfortunately APR doesn't provide us a good way to deal with this. It
doesn't provide a way to get the umask. Nor does it provide a way to
set perms while respecting the umask.

Until APR fixes this we should be using apr_file_perms_set() to only set the
users executable bit on platforms where this is available. It would
still be possible that we'll set a +x when the users umask says that
they don't want it, but I don't see a way around this that's portable.
Additionally, some people may not like that we're only setting +x for
the user, but working copies are only designed for use by one user.

apr_file_attrs_set() doesn't provide enough precision to deal with this
in a secure way. But should be a fallback for platforms without
apr_file_perms_set().

Thoughts? I'll implment the above if no one has any reason not to do it
this way. 

-- 
Ben Reser <ben@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Mar 9 21:35:21 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.