Re: Securing subversion on a shared server

From: Les Mikesell <lesmikesell_at_gmail.com>
Date: Tue, 12 May 2009 10:10:21 -0500

Neil Aggarwal wrote:
> I did not have the mode since I changed it.
> You are probably correct the files
> were mode 644.
>
> I am using https to connect to the server.
>
> The problem is that file mode 644 is still
> readable by anyone with an account on the server.
>
> I would like to make sure all files on the server
> (The repository and any user-space files) are
> mode x00.
>
> So my question is: What directories do I need to secure?
>
> I changed the repository directory and all files in
> it to mode 700. I also changed the ~/.subversion
> directory to mode 700.
>
> Is there anything else I need to change?

You must have access down the whole path to reach a file. As long as
some directory above your repository only has x permission for apache,
no one else (except root) can access the files regardless of their own
permissions. However, you should be very careful about other web
applications, cgi-scripts, etc., on the same machine as it is moderately
easy to subvert apache if you can get write access to its configuration
or anywhere that it will execute content.

-- 
   Les Mikesell
    lesmikesell_at_gmail.com
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2215521
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].

Received on 2009-05-12 17:11:14 CEST

This message: [ Message body ]
Next message: Tyler Roscoe: "disable warning about gnome keyring?"
Previous message: Matt \: "Re: Securing subversion on a shared server"
In reply to: Neil Aggarwal: "RE: Securing subversion on a shared server"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]