[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Permissions of post-commit hook

From: Dominic Anello <danello_at_danky.com>
Date: 2004-09-21 19:56:02 CEST

On 2004-09-21 11:28:17 +0200, Stefan Franck wrote:
> Hi,
>
> I have a post-commit script which checks out any www-resources commited
> into the repository on the web server. The script works fine as long as
> daemon (the executor) has writing permissions on the web server. Since
> this is quite unsafe, I wanted to use SGID. Thus the script always runs
> with my group, having perms to write on the webserver but the daemon
> itself does not.
> The problem is that by adding the SGID flag to the script, it won't be
> executed anymore. Any ideas why that happens, and how the problem could
> be solved?

Please don't take the following as gospel. Someone with more in-depth
of Linux permissions can probably do better. This is just what I've
discovered by poking around.

SGID doesn't work on scripts (for security reasons, I guess). You would
have to make a small SUID root executable that sets the right GID and
calls the script.

Here's an example:
========================================================================
/tmp/test.sh:

#!/bin/sh

umask 002
echo -n "Group: "
id -gn
date >> /home/danello/test.txt

========================================================================
/tmp/test.c:

#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int main(char** argv)
{
    extern int errno;

    /* 501 is group danello */
    if( setgid(501) == -1 )
    {
        printf( "setgid failed with error %i\n", errno );
        return errno;
    }

    /* The file we have to execute as group danello */
    return system( "/tmp/test.sh" );
}

========================================================================
#cd /tmp

# gcc -o test test.c

# chown root:root test; chmod 4755 test

# ls -ld /home/danello /home/danello/test.txt /tmp/test /tmp/test.sh
drwxr-x--x 140 danello danello 8192 Sep 21 13:40 /home/danello/
-rw-rw-r-- 1 danello danello 174 Sep 21 13:39 /home/danello/test.txt
-rwsr-xr-x 1 root root 11543 Sep 21 13:32 /tmp/test
-rwxr-xr-x 1 danello danello 67 Sep 21 11:52 /tmp/test.sh

# su - nobody

$ /tmp/test
Group: danello

$ tail -n 1 /home/danello/test.txt
Tue Sep 21 13:39:25 EDT 2004

$ date
Tue Sep 21 13:39:45 EDT 2004

-- 
I am the sound a balloon makes falling into the sky;
the sweat of a lump of ice in a summer river. 
    -Gene Wolfe

  • application/pgp-signature attachment: stored
Received on Tue Sep 21 19:55:59 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.