Re: [HCoop-Discuss] SVN security issues

From: Max Bowsher <maxb1_at_ukf.net>
Date: 2006-11-08 15:10:08 CET

Karl Chen wrote:
>>>>>> On 2006-11-08 01:48 PST, Max Bowsher writes:
>
> Max> Where would you envisage a potential exec helper being
> Max> configured? I suppose in httpd.conf and/or on the
> Max> svnserve command line?
>
> I propose:
> - On startup, record
> char const *svn_hook_helper = getenv("SVN_HOOK_HELPER")
> - In run_hook_cmd() or its callers, prepend svn_hook_helper to the
> exec arguments, if it is not null.
>
> The administrator would configure Apache+mod_dav_svn:
> SetEnv SVN_HOOK_HELPER /path/to/svnhookhelper

Why an environment variable?

They are somewhat transient and often overlooked, and not always easy to
arrange to be set for daemons. Not something I would let anywhere near
security configuration, if I have a choice.

Moreover, the above code sample won't work, since httpd's SetEnv only
sets real environment variables in subprocesses, which mod_dav_svn isn't.

No, if we do this, it definitely has to be a clear part of the server
configuration, I think.

Max.

application/pgp-signature attachment: OpenPGP digital signature

Received on Wed Nov 8 15:10:29 2006

This message: [ Message body ]
Next message: Malcolm Rowe: "Re: svnserve.conf: anon-access = none (instead of read)"
Previous message: Max Bowsher: "Re: svnserve.conf: anon-access = none (instead of read)"
In reply to: Karl Chen: "Re: [HCoop-Discuss] SVN security issues"
Next in thread: Karl Chen: "Re: [HCoop-Discuss] SVN security issues"
Reply: Karl Chen: "Re: [HCoop-Discuss] SVN security issues"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]