[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] svnserve dropping root privileges

From: Alex Holst <a_at_mongers.org>
Date: 2007-01-17 08:57:04 CET

Quoting Malcolm Rowe (malcolm-svn-dev@farside.org.uk):
> On Fri, Jan 05, 2007 at 10:28:03AM +0100, Micha?? ??ukaszek wrote:
> > I thought that dropping root privileges by svnserve running as daemon
> > might be useful.
> > Requesting for comments.
> >
>
> You shouldn't run svnserve as root to start with; if you're running it
> from an init-script, start it with su or similar so that it runs as the
> user you want it to - no need to switch the uid/gid within the svnserve
> process.

Sorry to bring up an old thread, but I wanted to make the point that
there are perfectly good reasons for wanting processes to intially run
as root: svnserve could be invoked as root, grab the resources it
needed, chroot itself to the desired repo and then drop privs before
processing untrusted input. When vulnerabilities in svnserve surface,
chroot makes the life of attackers somewhat harder.

Many daemons and tools in OpenBSD implement privilege seperation in this
manner including httpd, sshd, tcpdump, etc.

-- 
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                http://a.mongers.org 
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jan 17 08:57:15 2007

This is an archived mail posted to the Subversion Dev mailing list.