[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [HCoop-Discuss] SVN security issues

From: Max Bowsher <maxb1_at_ukf.net>
Date: 2006-11-08 15:10:08 CET

Karl Chen wrote:
>>>>>> On 2006-11-08 01:48 PST, Max Bowsher writes:
>
> Max> Where would you envisage a potential exec helper being
> Max> configured? I suppose in httpd.conf and/or on the
> Max> svnserve command line?
>
> I propose:
> - On startup, record
> char const *svn_hook_helper = getenv("SVN_HOOK_HELPER")
> - In run_hook_cmd() or its callers, prepend svn_hook_helper to the
> exec arguments, if it is not null.
>
> The administrator would configure Apache+mod_dav_svn:
> SetEnv SVN_HOOK_HELPER /path/to/svnhookhelper

Why an environment variable?

They are somewhat transient and often overlooked, and not always easy to
arrange to be set for daemons. Not something I would let anywhere near
security configuration, if I have a choice.

Moreover, the above code sample won't work, since httpd's SetEnv only
sets real environment variables in subprocesses, which mod_dav_svn isn't.

No, if we do this, it definitely has to be a clear part of the server
configuration, I think.

Max.

Received on Wed Nov 8 15:10:29 2006

This is an archived mail posted to the Subversion Dev mailing list.