Jon Foster wrote:
> Hi,
>
> I have a repository that is partially mirrored, using svnsync and
> mod_authz_svn [1]. I just realised that the administrator of the
> mirror server can bypass the authz rules I've set up on the master
> server. All he has to do is change the svn:sync-from-url property
> on the mirror repository to be a file:// URL to the source
> repository, rather than a http:// one. The correct file:// URL is
> probably guessable.
Yes, you are correct. If the admin of the mirror server changes the
sync-from URL to a properly guessed file:// URL, then svnsync, when run on
the master server, will read that URL from the mirror and use it for its
sync work, bypassing authz.
> Attack #2 (other repositories):
>
> More generally, the administrator of the mirror repository can use
> this attack to get a full mirror of ANY repository that svnsync can
> access, if they know both the repository URL and UUID. In practise,
> the requirement to know the UUID is likely to frustrate most attacks
> that are directed against other repositories. (It does not provide
> any protection whatsoever against the basic "bypass authz" attack
> described earlier in this mail, because the mirror repository's
> "svn:sync-from-uuid" property already contains the correct UUID).
> But the repository UUID was never intended to be a security-critical
> secret - it's included in plaintext in every SVN checkout, and
> changing it requires everyone to fix up their working copies.
So, you're saying that svnsync, running on the master server via repos1's
hooks, would contact what it thinks is a mirror of repos1 on the mirror
server, read the sync URL (which actually points to file://.../repos2), and
start syncing repos2's data across the wire. Right. Um... Ewww.
> Possible workarounds:
>
> - Don't run svnsync on the same system as the master repository,
> run it on the mirror server instead.
This has high practical costs, though.
> - Run svnsync as a different user that doesn't have access to any
> repository files.
This is a better workaround.
> Suggested fix:
>
> Please can we change "svnsync sync" to allow both the source and
> target URLs to be specified? That rather simple measure would block
> this attack. Since svnsync is usually invoked from a script, typing
> the extra URL isn't a problem.
>
> (If only one URL is specified, then svnsync should probably behave
> as it does today, for backward-compatibility. And we should
> document that svnsync trusts the mirror server if you only provide
> one URL).
This is a very sensible suggestion.
--
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
Received on 2010-05-12 17:20:21 CEST