[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security issue when defining wrong location directive in Apache

From: Sander <boxtel_at_gmail.com>
Date: 2006-01-17 01:51:03 CET

Thanks for your replies.

The AuthUserFile IS outside the Documentroot. Maybe it looks a little bit
confusing, but it's a Plesk machine .. webroot starts at */httpsdocs (or
httpdocs for non-SSL). Sorry for not mentioning that.

So (for example):

Documentroot = /var/www/domainname/httpsdocs/
SVNParentPath = /var/www/domainname/httpsdocs/projects/

When using the location <Location /svn> config mentioned below .. i think
there are 2 options to make things more secure :

1- renaming SVNParentPath to '/var/www/domainname/httpsdocs/svn' to force
'Dav svn' to serve the files. I still think (i have read that also) that
there is no 'confusing part' here for Apache .. because there are no
overlapping <Location> directives. Or can a 'Location' path NEVER be a path
in Documentroot ??

2- placing SVNParentPath (and all files/repos below that) outside the
documentroot, make it Apache readable (and writable i guess ?).

Option 2 might be the best option, and i think i'm going for that ... but
can you guys tell me if option 1 will be secure enough also (that way the
files will be included in daily backup).

With regards,

Sander

2006/1/17, Phil Endecott <phil_ckegr_endecott@chezphil.org>:
>
> Sander wrote:
>
> > I had some repositories under my https-root ..
> >
> > My Apache conf was:
>
> I assume DocumentRoot /var/www
>
> > <Location /svn>
> > DAV svn
> > SVNParentPath /var/www/domainname/httpsdocs/projects
> >
> > AuthType Basic
> > AuthName "Subversion Repository Access"
> > AuthUserFile /var/www/domainname/private/.xsinfo
> >
> > </Location>
> >
> > This looks quite ok doesnt it ?
>
> No it doesn't look OK. You have put your AuthUserFile inside your
> DocumentRoot. This is at best bad practice and at worst a huge security
> hole; see http://httpd.apache.org/docs/2.0/mod/mod_auth.html and look at
> the "Security" box under "AuthUserFile".
>
> Your issue with your subversion repository is essentially the same.
>
> Don't put things under your DocumentRoot unless you want to serve them.
>
> --Phil.
>
>
Received on Tue Jan 17 01:57:39 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.