[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Hook scripts start with an empty environment

From: Tim Starling <tstarling_at_wikimedia.org>
Date: Thu, 25 Mar 2010 07:45:19 +1100

Greg Hudson wrote:
> It might be reasonable to have said from the start, "if you're in the
> third situation, then your hook scripts should clear their own
> environments," but we can't start saying that in release 1.7. We can
> detect a setuid or setgid bit, but we cannot detect a restricted shell
> situation (such as when .ssh/authorized-keys contains a "command"
> directive), so we can't really intuit when it's safe to propagate the
> environment.
>

If the .ssh/authorized_keys has a command directive, the only way the
user could set environment variables in OpenSSH is if the server has a
set of potentially malicious variable names in the AcceptEnv
configuration variable. It accepts no variables by default and the
manual warns "that some environment variables could be used to bypass
restricted user environments".

But like I said, I'm happy with it being configurable. Do you want a
patch for that too? It's a fair bit more complicated than the one I
already did so I didn't want to try it without at least in-principle
approval.

-- Tim Starling
Received on 2010-03-24 21:45:52 CET

This is an archived mail posted to the Subversion Dev mailing list.