[HCoop-Discuss] SVN security issues

Shaun Kruger shaun.kruger at gmail.com
Sat Nov 4 13:12:22 EST 2006


I have been emailing with adamc this morning about the security
problems with subversion.

The following is what I most recently suggested to him.  He thought I
should run it past everyone else...

I just looked into the hook scripts.  If they could be setup with
setuid bit set they would take on the premissions of the user who owns
the repository when they run.  The next problem is how to force it to
run setuid the owning user or not at all.

I think the best way would be to have a test in subversion itself.  I
think the test would need to be in subversion/libsvn_repos/hooks.c:125
or svn_io_wait_for_cmd() at subversion/libsvn_subr/io.c:2088 (reading
svn 1.4.0 source).

Do you think the setuid solution would solve the problem?  Is this
something that would be helpful for me to work on and produce a patch?

Shaun

-- 
Visit my blog at http://hackerlog.blogspot.com
=====================================================
If more of us valued food and cheer and song above hoarded gold, it would
be a merrier world.
                -- J.R.R. Tolkien




More information about the HCoop-Discuss mailing list