On 7/22/2011 10:38 AM, Andy Canfield wrote:
> If I set the svnserve program to be owned by APACHE, and setuid and
> setgid, then whatever svnserve does to any repository will also be done
> by APACHE. Only root, or the APACHE user, can make this change to the
> svnserve program binary.
You don't need suid for this. There are normally shell scripts that
start system services that are executed as root and can change their uid
before starting the program. Apache is an exception because it
typically has to open port 80 for listening and ports below 1024 are
restricted to root in unix-like systems - so it has to start as root and
change its own uid after opening the socket.
> If I set the svnadmin program to be owned by APACHE, and setuid and
> setgid, then whatever svnadmin does to any repository will also be done
> by APACHE.
I wouldn't do that without auditing the code. If there are any paths of
execution that can delete or modify files, making it suid gives any
local user the ability to delete/modify your repositories and anything
else owned by apache. Normally, the point of running a network service
with authentication is to prevent most users from having direct access
to the files under control.
Plus, users may want to have their own private subversion repositories
that they create with svnadmin and use file:// access in svn.
Received on 2011-07-22 19:05:05 CEST