Eric Gillespie wrote on Mon, 7 Apr 2008 at 12:30 -0700:
> Richard Hansen <rhansen_at_bbn.com> writes:
>
> > Our solution: In a nutshell, the wrapper execs "/path/to/svnserve -t
> > --tunnel-user=<user_that_executed_the_wrapper>". This wrapper is meant
> > to be installed with the setuid bit set and owned by the user who has
> > read/write access to the repository database files ('svn'). Thus, when
> > user 'foo' executes the wrapper, the wrapper runs "/path/to/svnserve -t
> > --tunnel-user=foo" as user 'svn'. Thus, user 'foo' does not need
> > read/write access to the repository files, making it harder to bypass
> > the path-based access controls. The wrapper uses the getlogin() and
> > getpwuid(getuid()) POSIX functions to fetch the username of the user
> > that started the wrapper.
>
> Have you seen
> http://svn.collab.net/repos/svn/trunk/tools/examples/svnserve-sgid.c ?
>
> > What do you think? Does this sound like something the Subversion user
> > community would be interested in? If so, I'll post a link to the code
> > once it has gone through public release and a quick security review.
>
> I don't see why we couldn't include it in contrib
> (svnserve-sgid.c should be in contrib, too; not sure why I didn't
> put it there to start with).
>
>
Richard, are you still interested in contributing your wrapper? If so,
could you please post it.
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-12 14:39:53 CEST