[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve authentication without passwd file

From: Phillip Susi <psusi_at_cfl.rr.com>
Date: 2006-03-09 23:37:52 CET

Florian Pose wrote:
> Hi Phillip!
> Thanks, this is what I wanted to know.
> BTW, couldn't one abuse this, by setting the $USER variable and then
> communicate with svnserve in tunnel mode?

Yes, they could, just like they could just ssh into the server and rm
-fr the entire repository. That's why you only give out accounts to
users you trust, or set their login shell to a restricted one that only
allows you to run svnserve, and nothing else ( such as change the
environment ).

> Ah, no, because in doubt the svnserve process wouldn't have enough
> rights on the repository files.

No, the user accounts must have access to the repository because
svnserve runs under their account.
> Now everything is clear! Thanks again!
> Best regards,
> Florian

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Mar 9 23:50:30 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.