Re: "Flaw" revisited (was: Bug? FSFS revision control)

From: Igmar Palsenberg <maillist_at_jdimedia.nl>
Date: 2005-02-01 12:56:24 CET

> I plan to use Apache as the only method of serving the repository to my
> users. I believe this means that the repository directory and the files
> in it should be owned by the same user and group as the apache process,
> right?

Yes.

> The concern is that if the repository is owned by the apache user, then
> anything running on the web server could modify the repository (that
> is, modify/corrupt/delete the repository files directly). We use Apache
> as a regular web server already, serving web pages for dozens of
> projects, some programmed by us and some not. What if one of these
> projects has a security flaw that allows arbitrary command execution as
> the apache user (such as the recent phpBB bug)?

Then all of your users are screwed :)

Solutions : Either use a different server setup for subversion, or use
perchild-mpm. I haven't tested the latter myself.

Igmar

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Feb 1 12:58:52 2005

This message: [ Message body ]
Next message: Igmar Palsenberg: "Re: Is subversion ready for primetime"
Previous message: Felix Wiemann: "Re: "Revision" case-sensitive in svn:keywords"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]