[HCoop-Discuss] SVN security issues

Omry Yadan omry at yadan.net
Sat Nov 4 16:21:52 EST 2006


I think this should go to the svn dudes, maybe have a better
alternative, or maybe they even want to put it into the main subversion.



Shaun Kruger wrote:

> I have been emailing with adamc this morning about the security
> problems with subversion.
>
> The following is what I most recently suggested to him.  He thought I
> should run it past everyone else...
>
> I just looked into the hook scripts.  If they could be setup with
> setuid bit set they would take on the premissions of the user who owns
> the repository when they run.  The next problem is how to force it to
> run setuid the owning user or not at all.
>
> I think the best way would be to have a test in subversion itself.  I
> think the test would need to be in subversion/libsvn_repos/hooks.c:125
> or svn_io_wait_for_cmd() at subversion/libsvn_subr/io.c:2088 (reading
> svn 1.4.0 source).
>
> Do you think the setuid solution would solve the problem?  Is this
> something that would be helpful for me to work on and produce a patch?
>
> Shaun
>
>   





More information about the HCoop-Discuss mailing list