[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Possible security problem with svnsync?

From: Jon Foster <Jon.Foster_at_cabot.co.uk>
Date: Wed, 12 May 2010 15:49:20 +0100

Hi,
 
Bob Archer wrote:
> Jon Foster wrote:
> > I have a repository that is partially mirrored, using svnsync and
> > mod_authz_svn [1]. I just realised that the administrator of the
> > mirror server can bypass the authz rules I've set up on the master
> > server. All he has to do is change the svn:sync-from-url property
> > on the mirror repository to be a file:// URL to the source
> > repository, rather than a http:// one. The correct file:// URL is
> > probably guessable.
>
> Well, this has nothing to do with svnsync then does it? If you
> expose the repository file system then yes anyone can access it
> bypassing the server. Even with svn.exe it can be done. you should
> use FS/Network permission so that your repositories are only
> available via your server (http or svn protocols).

I'm not exposing the repository file system to users, and I'm not
giving shell access to users. The only way a user can access this
server is via Apache. However, svnsync is started by the post-commit
hook. (This is the recommended svnsync setup, as far as I can tell).
This means that svnsync is running on the server, as the "apache"
user, which gives it a lot of permissions - including the ability
to directly access the repository files.

The problem is that svnsync trusts the mirror server to give it the
correct source URL.

Kind regards,

Jon Foster

**********************************************************************
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cabot Communications Ltd.

If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone.

Cabot Communications Limited
Verona House, Filwood Road, Bristol BS16 3RY, UK
+44 (0) 1179584232

Co. Registered in England number 02817269

Please contact the sender if you believe you have received this email in error.

**********************************************************************

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Received on 2010-05-12 16:50:06 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.