[HCoop-Discuss] Subversion security issue

Omry Yadan omry at yadan.net
Fri Nov 3 14:10:19 EST 2006


Paul Anderson wrote:

> On 11/3/06, Adam Chlipala <adamc at hcoop.net> wrote:
>   
>> I'm proposing that we discontinue all shared support for Subversion
>> serving.  Letting members run programs anonymously is too huge a
>> security hole, as evidenced by a past break-in (before we banned
>> www-data execution) that left us with an extra $100 bandwidth bill that
>> we had no idea who to charge to for weeks.
>>
>>     
> svnserve might be helpful:
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.svnserve.html
>
> It appears svnserve can be run in tunnel mode, using -t, and it can
> tunnel over an ssh connection.  In this configuration, it will be run
> as the owner of the repository.  There are other capabilities it has
> that may be useful, although I've not yet fully explored them.
>
>   
This is true - svnserve can run in tunnel mode over ssh, and also as a
standalone non-http server (port 3690 is the default port).
personally I like to run it under http because I noticed that my
download was much slower over svn:// protocol, probably due to traffic
shaping at rush hour on my ISP.

an alternative solution is to run a local apache as yourself, and  proxy
to it from the shared one.





More information about the HCoop-Discuss mailing list