[HCoop-Discuss] subversion-hooks security hole?
Daniel S. Wilkerson
dsw at cs.berkeley.edu
Fri Dec 8 18:40:10 EST 2006
I made a real attempt to find a discussion of this issue in the
hcoop-discuss archives, but there is no search for them and the Google
site:hcoop.net search, while yielding some relevant emails, leaves
something to be desired.
Karl Chen tells me that Adam has previously pointed out a security hole
in the setup of the subversion server infrastructure on HCoop that works
as follows. If anyone adds a subversion hook, this hook runs as user
wwwdata *before* the server changes its user id to the owner of the
particular subversion server. This seems to rather clearly give any
user on the system access to wwwdata; perhaps a user could then create a
shell as user wwwdata and then access things that they should not,
though all of my web data and CGI scripts are owned by me, not wwwdata.
1 - What is the real security threat here? Can people really get to my
data or my subversion server if I had one? Do other bad things?
2 - How can it be fixed? Karl tells me that a way to fix this would be
if the subversion people would allow a directive in a certain place that
would cause the server to change user ids before running the hooks, but
his request for this feature seems to have been ignored by the
Subversion team.
If there is a real threat and it cannot be fixed, it seems that we
should shut off subversion hooks until it can be fixed.
Daniel
More information about the HCoop-Discuss
mailing list