Using svnserve securely

From: Sebastian Tennant <sebyte_at_gmail.com>
Date: Tue, 26 Feb 2008 15:26:55 +0200

Hi list,

How to deploy svnserve securely _and_ provide local read/write access to
a repository at the same time.

_Feedback most welcome_.

For security reasons you should always run publically accessible
services as unprivileged processes, so create an 'svn' system user, make
'svn' the owner of /usr/bin/svnserve and set the setuid bit, like so:

$ ls -ld /usr/bin/svnserve
-rwsr-xr-x 1 svn root 43124 Jun 8 2007 /usr/bin/svnserve

Now, for svnserve to have write access to the repository, the repository
must either be owned by 'svn', or world-writable. Clearly the latter is
undesirable, so make 'svn' the owner of the repository, like so:

$ ls -ld /var/svn-repository
drwxr-xr-x 7 svn root 4096 Aug 11 2007 /var/svn-repository

In terms of EUID and directory permissions svnserve is now securely
deployed, but what about local access?

We can give /usr/bin/svn write access to the repository by doing what we
did to /usr/bin/svnserve and making it 'setuid svn', but then check out
or update operations are only possible in world-writable directories or
directories owned by 'svn' and this time neither solution is desirable.

Also, when a user checks out a batch of new files from the repository
they form part of *her* working copy and should belong to her, not
'svn'.

No, we need to find a way to give /usr/bin/svn write access to the
repository without making it 'setuid svn' and without making the
repository world writable?

Enter *nix groups.

Create an 'svn' system group, make 'svn' the group to which /usr/bin/svn
belongs, and set the setgid bit, like so:

$ ls -ld /usr/bin/svn
-rwxr-sr-x 1 root svn 116988 Jun 8 2007 /usr/bin/svn

Now make the repository writable for members of the group 'svn':

$ ls -ld /var/svn-repository
drwxrwxr-x 7 svn svn 4096 Aug 11 2007 /var/svn-repository

Finally, you also need to make the other /usr/bin/svn* executable files
'setgid svn' (apart from /usr/bin/svnserve).

To summarise:

$ ls -ld /usr/bin/svnserve /usr/bin/svn /var/svn-repository
-rwsr-xr-x 1 svn root 43124 Jun 8 2007 /usr/bin/svnserve
-rwxr-sr-x 1 root svn 116988 Jun 8 2007 /usr/bin/svn
drwxrwxr-x 7 svn svn 4096 Aug 11 2007 /var/svn-repository

Your repository is secure (non-world-writable) whilst granting
write-access to an unprivileged svnserve, and at the same time local
users can still enjoy EUID=UID read/write access.

Sebastian

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-02-26 14:27:22 CET

This message: [ Message body ]
Next message: John Peacock: "Re: Using svnserve securely"
Previous message: Adrian Gschwend: "Re: importing trunk only to an existing repository"
Next in thread: John Peacock: "Re: Using svnserve securely"
Reply: John Peacock: "Re: Using svnserve securely"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]