On Sat, Mar 21, 2009 at 3:06 AM, Alec
Kloss<alec-dated-1238029604.c45de2_at_setfilepointer.com> wrote:
> I once pined:
>
> On 2008-08-12 14:00, Alec Kloss wrote:
>> First off, Subversion's code is lovely to read.
>>
>> The subject pretty much says it all. The SASL support in
>> Subversion 1.5 blindly removes realm specifiers from the user's
>> authentication.
>>
>> There's a seatbelt early in cyrus_auth.c which protects against
>> security problems associated with removing the realm as described
>> by this comment:
>>
>> /* The only valid realm is user_realm (i.e. the repository's realm).
>> If the user gave us another realm, complain. */
>>
>> Later, at the end of cyrus_auth_request() the realm is yanked off
>> of the authenticated user, which creates the potential security
>> issue that the seatbelt in cyrus_auth.c is protecting against:
>>
>> if ((p = strchr(user, '@')) != NULL)
>> /* Drop the realm part. */
>> b->user = apr_pstrndup(b->pool, user, p - (char *)user);
>> else
>>
>> I guess I'd propose changing the default behavior to allow
>> cross-realm and strip the realm part off in cyrus_auth_request()
>> if-and-only-if it matches the configured "user_realm". I'd like to
>> see a flag to disable the stripping of the realm entirely, as
>> people with lots of cross-realm will almost certainly prefer that.
>>
>> (And while I'm commenting, has no one looked into logging in
>> svnserve since 2005? It's kinda a big thing to be missing, at
>> least among the paranoid.)
>
> Please see attached patch. It works against 1.6.0 and trunk r36738.
> [[[
>
> Add option cross-realm support to cyrus_auth.c. Adds three
> boolean configuration entries in the [sasl] section:
>
> enable-cross-realm: set to enable cross-realm support
> remove-local-realm: set to true to remove the local realm
> from a user name, false to keep the realm on a local user.
> Defaults to !enable-cross-realm
> remove-remote-realm: set to true to remove the realm of a remote
> user. This is a potential security hazard and should not
> be enabled unless you're confident all realms are trustworthy.
>
> ]]]
Why do we need those three flags exactly? Can we not select a safe default?
We don't seem to need them for kerberos over http (ra_neon)?
Lieven
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2374818
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-07-23 15:31:17 CEST