In the Subversion FAQ, the answer to the question, "I'm managing a
website in my repository. How can I make the live site automatically
update after every commit?" suggests using a post-commit hook
combined with a setuid program. However, the example setuid program
in the FAQ answer uses the system() library function. On most
Unix-based systems, system() invokes the shell, which creates a
security risk: a malicious user can modify the environment to get
system() to run an arbitrary program. Since the program is running
setuid, they do so with the privileges of the user who owns the
program.
Even though subversion goes to lengths to cleanse the environment
before running a hook, any user with shell access and permissions
to run the program can run simply run it from the shell, and
potentially gain unauthorized access. This may not matter in a
dedicated server environment, but it also might, and the very
existance of such a program on the filesystem is a potential security
risk. However, a simple modification of the program in question
will eliminate the risk, by changing it to use the execl() library
function, which bypasses the shell: I've included a patch for the
FAQ to do just that below. (I also modified it to return
``EXIT_FAILURE'' if the execl() call fails, and for main() to take
no arguments. This is just slight nit-picking for ANSI-conformant
hosted environments.)
It's also been suggested to just bypass the setuid program all
together and use sudo instead, but there's some administrative cost
in doing that (e.g., each committer would have to be mentioned in
sudoers or be in some group if you were using svnserve over SSH,
etc).
Thank you, and thanks for subversion!
- Dan C.
Index: faq.html
===================================================================
--- faq.html (revision 17611)
+++ faq.html (working copy)
@@ -1895,10 +1895,13 @@
to run +s. Compile a tiny C program:</p>
<pre>
+#include <stddef.h>
#include <stdlib.h>
-int main(int argc, const char *argv[])
+#include <unistd.h>
+int main(void)
{
- system("/usr/local/bin/svn update /home/joe/public_html/");
+ execl("/usr/local/bin/svn", "svn", "update", "/home/joe/public_html/", NULL);
+ return(EXIT_FAILURE);
}
</pre>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Dec 3 17:10:52 2005