[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How much libsvn_repos wrap around the libsvn_fs

From: Michael Wood <mwood_at_its.uct.ac.za>
Date: 2003-01-06 07:47:26 CET

On Fri, Jan 03, 2003 at 01:35:10PM -0500, Seth W. Klein wrote:
> Branko ??ibej <brane@xbc.nu> wrote:
[snip]
> > Just a note here -- any ACL system we implement within Subversion
> > will have to be inherent to libsvn_fs in any case, so that all RA
> > methods can use it. Sure, it'll be more or less advisory for
> > ra_local.
>
> Does this remain true even if the svn binary is suid svn and the
> repository is writeable only by that user?
[snip]

Well, I doubt Subversion was ever meant to be run setuid. In general,
it's a very bad idea to run anything setuid that wasn't designed to run
setuid.

If you ran svn setuid to "svn" and had the repository only writable by
"svn," it would add another layer of protection to your repository, but
I'd still be more inclined to trust ra_svn or ra_dav.

Actually, I've just thought of a trivial exploit. Set EDITOR to /bin/sh
and run a commit of something. You shouldn't even need commit access,
since the editor gets called before the client knows whether or not
you're allowed to commit. When your "/bin/sh" "editor" gets run, you
have a shell with the permissions of your "svn" user. You can now run
your hacked client to subvert any ACLs.

-- 
Michael Wood <mwood@its.uct.ac.za>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jan 6 07:49:08 2003

This is an archived mail posted to the Subversion Dev mailing list.