[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn makes server security holes?

From: Scott Lamb <slamb_at_slamb.org>
Date: 2006-05-05 02:40:44 CEST

On May 4, 2006, at 2:58 PM, Ryan Schmidt wrote:
>> <blockquote>I understand you want to have Subversion installed on our
>> shared server to use with your site. A few years ago we determined
>> that the use of WebDAV on any of our servers is a major security flaw
>> due to the way it the software works. Subversion makes use of WebDAV
>> and thus it is not allowed on any of our shared servers.</blockquote>

Sounds like one person determined long ago that Apache's WebDAV
implementation in a certain configuration is not appropriate for a
specific usage. Someone else saw your request, remembered being told
"WebDAV bad", placed it together with "Subversion uses WebDAV", and
concluded "Subversion bad". The full analysis was never repeated;
probably if they did, they'd discover that this situation is
different enough that their objections are irrelevant.

Without knowing the supposed problem with WebDAV, that's the best
guess I can give.

On the other hand, in a shared hosting environment, they're probably
right to be cautious about installing new server software. In
general, more stuff accessible from the net = more security holes,
whether they're bugs in the software, misconfigurations because
they're unwilling to invest the time to learn how to install and
maintain it properly, etc. Nothing specific to Subversion.

Will you be the only user of this repository? Do you have shell
access? If so, you could use svn+ssh in an inarguably secure fashion
- svnserve runs as you, and an attacker can't even talk to your
Subversion installation without having your ssh credentials (and the
ability to execute arbitrary shell commands as you anyway). In fact,
if they're unwilling to install Subversion for you, you can compile
it and run it this way in your home directory on your own. If they
complain about _that_, you need a new provider.

Regards,
Scott

-- 
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri May 5 02:41:41 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.