On Wed, Jan 17, 2007 at 08:57:04AM +0100, Alex Holst wrote:
> Quoting Malcolm Rowe (malcolm-svn-dev@farside.org.uk):
> > You shouldn't run svnserve as root to start with; if you're running it
> > from an init-script, start it with su or similar so that it runs as the
> > user you want it to - no need to switch the uid/gid within the svnserve
> > process.
>
> Sorry to bring up an old thread, but I wanted to make the point that
> there are perfectly good reasons for wanting processes to intially run
> as root: svnserve could be invoked as root, grab the resources it
> needed, chroot itself to the desired repo and then drop privs before
> processing untrusted input. When vulnerabilities in svnserve surface,
> chroot makes the life of attackers somewhat harder.
>
I completely agree with the general comments here, but there's one
important point I think you're missing: svnserve doesn't need to be root
to grab any of its resources. You can run it in a chroot now, and just
start it as the user it should be running as.
> Many daemons and tools in OpenBSD implement privilege seperation in this
> manner including httpd, sshd, tcpdump, etc.
>
Right, but httpd and sshd need to bind to privileged ports, and tcpdump
usually wants to set interfaces into promiscuous mode, all of which are
privileged operations.
There's no need to run svnserve as root, and so we'd rather people didn't.
Regards,
Malcolm
- application/pgp-signature attachment: stored
Received on Wed Jan 17 12:54:59 2007