[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: disable security hole in svn+ssh?

From: Les Mikesell <lesmikesell_at_gmail.com>
Date: Fri, 29 Jul 2011 08:02:41 -0500

On 7/28/11 8:27 PM, Andy Canfield wrote:

> Seems like every protocol uses a different
> method to do authorization, and that's my ignorance. I'm trying to work out an
> authorization mechanism that applies regardless of the protocol.

Why? Pick one that works and leave the others so users can't use it, at least
for write access.

> In recent years Linux has gone the route that a valid logged-in user can read
> nearly anything.

They need read/execute access to programs/libraries - repositories have whatever
protection you want to give them.

> Can't change it, but can read it. Chalie can read
> /etc/apache2/mods-enabled/mod_dav_svn.conf. But he can't change it. I can live
> with that.

You can change that if you want. Apache needs to read it.

> Because we could have valuable trade secrets in a Subversion
> repository, I would prefer to limit read access, but if that isn't available so
> be it

Set it the way you want it. Under http(s), apache needs execute permission down
the path and r/w access to the repositories. Other users don't. Or you can run
a different instance of apache under a different uid if you want to isolate it
from other web services - you just have to bind it to a different port or IP
address.

. But I am a little horrified that Charlie can create repositories without
> any authorization at all.

They should be able to create them anywhere they have file create access. They
shouldn't be able to create the ones served by apache or svnserve (unless you
want that).

> I keep comparing Subversion to MySQL. They both store data for you. A repository
> is like a database. But the average user is not allowed to create databases!

There's nothing magic about either one. An average user could run his own
instance of mysql if he wanted, putting it entirely in an area where he has file
access. He'd just have to run it on a different port than the system copy.

>> We're hosting svn behind our firewall on http and so our users have to have a
>> VPN to connect. This of course requires a certain type of security appliance
>> (several hundred bucks at a minimum.)
> In case it hasn't been obvious, I'm in southeast Asia, definitely third world
> turf. And this is a startup, with stingy investors.

If you want to go this route, OpenVpn is free, works across linux/windows/mac
and would work fine. But it is more work to set up than https/ssh and only
worth it if you want generic network access behind your firewall.

>> You can then detect http protocol with a rewrite rule and redirect to https
>> using mod_rewrite in either the vhost container or .htaccess file.
> Where would the .htaccess file be for svn+ssh? There's no directory!

Don't give users access to the repo with filesystem permissions if you don't
want them to use file:/// or ssh+svn access. You really don't want them to have
shell level write access because then they can delete the repository.

And by the way, that redirect of http to https won't really prevent users from
sending plaintext passwords in basic authentication to the http side - it just
won't happen as many times.

-- 
   Les Mikesell
    lesmikesell_at_gmail.com
Received on 2011-07-29 15:03:16 CEST

This is an archived mail posted to the Subversion Users mailing list.