[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[Issue 2486] Svnserve 1.3 authz: guidance requested

From: Lieven Govaerts <lgo_at_mobsol.be>
Date: 2006-03-01 00:55:10 CET


I'm working on fixing issue #2486: "Svnserve 1.3 authz: writing on subfolder
requires read access on repository root".

First of all, the added patch contains a new Python test authz_tests.py
which tests on the two root causes of this issue ( open_root &
open_directory function in libsvn_repos/commit.c ). These two tests will
fail when run on svnserve 1.3, succeed with mod_authz_svn ( not tested yet )
and skip when run on local repository.

An easy way to solve this issue is by removing the check for read access in
open_root and open_directory. These were added when adding path-based authz
in svnserve and are clearly to restrictive. However, in a private email
David Anderson expressed concerns on a possible security issue with this
solution, by leaking the existance of paths (no error returned == directory
exists). These concerns are not yet included in the python tests scripts. In
other words, when I remove the read access test from open_root &
open_directory, both tests will succeed.

I'm not sure how to test for these possible security issues, so I bring this
issue back on the list, and ask your opinions on this solution.


> -----Original Message-----
> From: Lieven Govaerts [mailto:lgo@mobsol.be]
> Sent: zondag 19 februari 2006 18:28
> To: 'David Anderson'
> Cc: 'Ben Collins-Sussman'; dev@subversion.tigris.org; 'Sander Striker'
> Subject: RE: [Issue 2486] New - Svnserve 1.3 authz: writing
> on subfolder requires read access on repository root
> David,
> I'd like to fix this issue so it can be included in svn
> 1.3.1. I know you're busy these days, so I just need some
> information from you so I can provide a patch myself.
> > -----Original Message-----
> > From: David Anderson [mailto:david.anderson@calixo.net]
> > Sent: dinsdag 24 januari 2006 9:55
> ...
> >
> > So, my take on all this is that svnserve's implementation is indeed
> > faulty, as it was supposed to copy mod_authz_svn's implementation.
> > The solution is to either correct svnserve (I believe the fix is a
> > two-liner - remove read access check on opening directories in the
> > commit editor), or introduce an 'x' bit that explicitely identifies
> > the right to traverse directories.
> >
> > - Dave.
> If I understand you correctly, you propose to remove these lines in
> open_root():
> /* Check read access to root */
> SVN_ERR(check_authz (eb, "/", eb->txn_root, svn_authz_read, pool));
> from svn_repos/commit.c right? Let's keep adding the 'x' bit
> for later ( issue 2298 is already available for that purpose ).
> I know you added these lines when implementing authz for
> svnserve 1.3, so removing then will probably not have impact
> of other usage scenario's. I'll provide some test scripts to
> validate that anyhow.
> regards,
> Lieven.

To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Wed Mar 1 00:58:17 2006

This is an archived mail posted to the Subversion Dev mailing list.