[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Hook scripts start with an empty environment

From: Bert Huijben <bert_at_qqmail.nl>
Date: Wed, 24 Mar 2010 09:27:56 +0100

> -----Original Message-----
> From: Tim Starling [mailto:tstarling_at_wikimedia.org]
> Sent: woensdag 24 maart 2010 7:19
> To: dev_at_subversion.apache.org
> Subject: Hook scripts start with an empty environment
>
> Hook scripts start with an empty environment instead of inheriting it
> from svnserve or whatever.
>
> This is inconvenient, not least for the case where you want to commit
> something to an svn+ssh server via a local pushmi mirror on file:/// and
> your SSH_AUTH_SOCK is lost so you have to type your passphrase all the
> time.
>
> There's no comment in the code explaining why the environment has to be
> empty, so I assume it was just done like that on a whim. Trivial patch
> attached.

        Sorry,

This behavior is by design.

Repository hooks run as the 'repository owner' and clearing the environment is part of the security around that feature.
http://svnbook.red-bean.com/en/1.5/svn.reposadmin.create.html#svn.reposadmin.create.hooks (or http://tinyurl.com/59yzll )

I'm a bit surprised that you actually see a passphrase prompt from a hook, as the hook environment redirects stdin, stdout and stderr to the server process. The only prompt you should be able to see is the prompt for starting the ssh process. (And this ssh isn't called via the function you tried to patch)

If we would forward the environment hook scripts, the scripts might accidentally use environment variables from the calling process without the user knowing. Which opens a backdoor for all kinds of malware/abusal. And it would also make it very hard to create hook scripts that work identical for all repository users.

        Bert
Received on 2010-03-24 09:28:33 CET

This is an archived mail posted to the Subversion Dev mailing list.