On Thu, Jan 18, 2007 at 02:43:32PM +0100, Martin von Gagern wrote:
> Malcolm Rowe wrote:
> > I completely agree with the general comments here, but there's one
> > important point I think you're missing: svnserve doesn't need to be root
> > to grab any of its resources. You can run it in a chroot now, and just
> > start it as the user it should be running as.
>
> To start svnserve you need access to the binary. If there is some
> security problem, it might just be possible for some malformed commit to
> modify this binary, which could lead to other problems. On the otherhand
> if you could start svnserve outside as root and then chroot and drop
> privileges in the same process, you wouldn't need the binary inside the
> chroot.
>
If you're concerned about modifications to the svnserve binary, you
could use a read-only mount in the first place (so that /usr in your
chroot is mounted read-only, for example). Alternatively, you could
look at using SELinux, which would probably allow you to restrict the
permissions much more thoroughly (for example, by disallowing svnserve
from making outbound connections).
> I know this scenario is a bit far-fetched, but not far enough to
> invalidate the request. I'm a friend of chroots with only data,
> preferrably on some noexec-mounted device.
>
My concern is that if we start saying 'it's okay to run svnserve as
root', we have to be a lot more careful that we've closed all the
potential holes (since we're effectively starting from a much larger
attack surface) -- writing privilege separation code is not trivial
(and, technically, I've no idea whether APR supports what we'd need to
do).
Regards,
Malcolm
- application/pgp-signature attachment: stored
Received on Thu Jan 18 15:53:10 2007