Re: [HCoop-Discuss] SVN security issues

From: Max Bowsher <maxb1_at_ukf.net>
Date: 2006-11-08 10:48:26 CET

Karl Chen wrote:
>>>>>> On 2006-11-07 13:40 PST, Max Bowsher writes:
>
> Max> I do not understand why a solution based on sudo forces
> Max> root ownership.
>
> Max> IIRC, the problem scenario is that www-data needs to run
> Max> hooks under the UID of a human user?
>
> Almost. If the problem were that the user wants to run the hook
> under his user account, the problem could be solved with sudo.
>
> That is a problem, but a bigger problem is that the administrator
> does not want to allow the user to run it under the apache user
> account (www-data) even if the user wants to.

What about deploying the wrapper hooks into all repositories, with
permissions set so the user cannot replace them?

Then the user cannot run arbitrary code as www-data.

I guess the permissions would involve the wrappers being owned by root,
mode 755, and the hooks directory would need +t, or otherwise
restrictive permissions to prevent the user from deleting the wrappers.

Still, I can see that it's not a wonderfully elegant solution.

Where would you envisage a potential exec helper being configured? I
suppose in httpd.conf and/or on the svnserve command line?

Max.

application/pgp-signature attachment: OpenPGP digital signature

Received on Wed Nov 8 10:48:59 2006

This message: [ Message body ]
Next message: Max Bowsher: "Re: [HCoop-Discuss] SVN security issues"
Previous message: Karl Chen: "Re: [HCoop-Discuss] SVN security issues"
In reply to: Karl Chen: "Re: [HCoop-Discuss] SVN security issues"
Next in thread: Karl Chen: "Re: [HCoop-Discuss] SVN security issues"
Reply: Karl Chen: "Re: [HCoop-Discuss] SVN security issues"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]