[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Hook scripts start with an empty environment

From: Tim Starling <tstarling_at_wikimedia.org>
Date: Wed, 24 Mar 2010 22:56:08 +1100

Bert Huijben wrote:
>
>> -----Original Message-----
>> From: Tim Starling [mailto:tstarling_at_wikimedia.org]
>> Sent: woensdag 24 maart 2010 7:19
>> To: dev_at_subversion.apache.org
>> Subject: Hook scripts start with an empty environment
>>
>> Hook scripts start with an empty environment instead of inheriting it
>> from svnserve or whatever.
>>
>> This is inconvenient, not least for the case where you want to commit
>> something to an svn+ssh server via a local pushmi mirror on file:/// and
>> your SSH_AUTH_SOCK is lost so you have to type your passphrase all the
>> time.
>>
>> There's no comment in the code explaining why the environment has to be
>> empty, so I assume it was just done like that on a whim. Trivial patch
>> attached.
>>
>
> Sorry,
>
> This behavior is by design.
>
> Repository hooks run as the 'repository owner' and clearing the environment is part of the security around that feature.
>

You mean if the repository is accessed via the svn or http transports?
That may be true, but the file and svn+ssh transports don't run as any
special user. It would be simple enough to clear the environment only
when the svn or http transports are used. Or the behaviour could be
configurable.

> I'm a bit surprised that you actually see a passphrase prompt from a hook, as the hook environment redirects stdin, stdout and stderr to the server process. The only prompt you should be able to see is the prompt for starting the ssh process.

I believe ssh opens the controlling terminal directly. But that's beside
the point.

> (And this ssh isn't called via the function you tried to patch)
>

The hook script calls ssh. The function I patched calls the hook script.
If you pass the full environment to the hook script then the hook script
passes it to ssh. I have tested this.

> If we would forward the environment hook scripts, the scripts might accidentally use environment variables from the calling process without the user knowing. Which opens a backdoor for all kinds of malware/abusal. And it would also make it very hard to create hook scripts that work identical for all repository users.
>

What sort of backdoor malware abusal exactly? Whatever this problem is,
it obviously isn't a problem for apache, which has a similar unix user
model and nevertheless passes the full environment down to CGI scripts
that it runs.

Anyway, I'm not really too concerned. It can be configurable or
transport-dependent or an autoconf option, or I can just tell everyone I
know to patch and compile their own subversion client.

-- Tim Starling
Received on 2010-03-24 12:56:47 CET

This is an archived mail posted to the Subversion Dev mailing list.