[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

disable security hole in svn+ssh?

From: Andy Canfield <andy.canfield_at_pimco.mobi>
Date: Wed, 27 Jul 2011 11:06:48 +0700

I was trying to get http, svn, and svn+ssh to work.

HERE IT IS USING HTTP:
* svn info http://athol/svn/subdoc
Authentication realm: <http://athol:80> Athol Subversion Repository
Password for 'andy':
Path: subdoc
URL: http://athol/svn/subdoc
Repository Root: http://athol/svn/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)*

HERE IT IS USING SVN:
* svn info svn://athol/subdoc
Authentication realm: <svn://athol:3690> Subversion svnserve
Password for 'andy':
Path: subdoc
URL: svn://athol/subdoc
Repository Root: svn://athol/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)*

HERE IS THE PROBLEM USING SVN+SSH:
* svn info svn+ssh://athol/data/svn/subdoc
The authenticity of host 'athol (192.168.1.113)' can't be established.
ECDSA key fingerprint is 4a:9d:73:24:94:24:15:a8:08:0c:cd:59:72:d4:3a:d7.
Are you sure you want to continue connecting (yes/no)? yes
kids_at_athol's password:
Path: subdoc
URL: svn+ssh://athol/data/svn/subdoc
Repository Root: svn+ssh://athol/data/svn/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)
*
What's 'worse' about it? Well, 'kids' is a valid user name on the
server; 'kids' can ssh into the server. But 'kids' has no authorization
to access any Subversion repository in any way. To me this means that
svn+ssh is a GIGANTIC security hole.

Consider these commands:
* ssh kids_at_example.com
     rm -rf /data/svn/subdoc*
They do nothing; user 'kids' has no right to see anything inside the
/data/svn directory, which is owned by www-data and readable (and
writable) only by that user.

But consider these commands:
* mkdir t
     cd t
     svn checkout svn+ssh://example.com/data/svn/subdoc
     svn delete *
** svn commit*
These will post a revision deleting everything in the repository. And
this second set of commands relies only on 'kids' being able to log in
to the server; they need not have any permission to do anything in
Subversion!

Is there any way to modify things on the server to disable the svn+ssh:
protocol without disabling either standard ssh or the svn: protocol?
Received on 2011-07-27 06:07:56 CEST

This is an archived mail posted to the Subversion Users mailing list.