[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: "Flaw" revisited (was: Bug? FSFS revision control)

From: Igmar Palsenberg <maillist_at_jdimedia.nl>
Date: 2005-02-01 12:56:24 CET

> I plan to use Apache as the only method of serving the repository to my
> users. I believe this means that the repository directory and the files
> in it should be owned by the same user and group as the apache process,
> right?


> The concern is that if the repository is owned by the apache user, then
> anything running on the web server could modify the repository (that
> is, modify/corrupt/delete the repository files directly). We use Apache
> as a regular web server already, serving web pages for dozens of
> projects, some programmed by us and some not. What if one of these
> projects has a security flaw that allows arbitrary command execution as
> the apache user (such as the recent phpBB bug)?

Then all of your users are screwed :)

Solutions : Either use a different server setup for subversion, or use
perchild-mpm. I haven't tested the latter myself.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Feb 1 12:58:52 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.