Re: svnserve-only + ViewCVS HOWTO

I don't normally do this sort of thing but i'm terribly bored and
the "svnserve" in the subject caught my attention. I've
commented on some of the security problems with your setup below.

Keith Smith <keith@pharos.co.nz> writes:

> * I don't access the repository via SSH, so the configuration
> required for this access method is not described.

You have no host verification at all, leaving you vulnerable to
spoofing and man in the middle attacks.

> * Permissions are less restrictive than they could be in some
> places. In my experience, those that know the difference know
> how to rectify matters.

In my experience, people follow instructions as blindly as they
can possibly get away with.

> 5. Add a user 'svn' and convert everything below the directory
> /usr/local/subversion-1.0.5/ to svn.svn ownership. Switch to
> this user and create a repository named 'svn':

Binaries should always be owned by root. They should certainly
never be owned by any user a service runs as. A compromised
svnserve or httpd with write access to binaries can cause further
damage, including potentially gaining more privileges.

> * Ensure that httpd runs as user 'apache', and add apache to
> group 'svn'.

As described above, this lets a compromised httpd write to your
binaries. Even if you make those owned by root, a compromised
httpd can write to your repository. It is not possible to
provide read-only access to a bdb-based repository. If you don't
want to use the fsfs back-end, you can provide anonymous access
to a mirror of your real repository.

Other than that :), it's a nice document. Document these issues
and i think you'll have something valuable.

--
Eric Gillespie <*> epg@pretzelnet.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 21 04:57:48 2004