[HCoop-Discuss] SVN security issues
Omry Yadan
omry at yadan.net
Sat Nov 4 16:21:52 EST 2006
I think this should go to the svn dudes, maybe have a better
alternative, or maybe they even want to put it into the main subversion.
Shaun Kruger wrote:
> I have been emailing with adamc this morning about the security
> problems with subversion.
>
> The following is what I most recently suggested to him. He thought I
> should run it past everyone else...
>
> I just looked into the hook scripts. If they could be setup with
> setuid bit set they would take on the premissions of the user who owns
> the repository when they run. The next problem is how to force it to
> run setuid the owning user or not at all.
>
> I think the best way would be to have a test in subversion itself. I
> think the test would need to be in subversion/libsvn_repos/hooks.c:125
> or svn_io_wait_for_cmd() at subversion/libsvn_subr/io.c:2088 (reading
> svn 1.4.0 source).
>
> Do you think the setuid solution would solve the problem? Is this
> something that would be helpful for me to work on and produce a patch?
>
> Shaun
>
>
More information about the HCoop-Discuss
mailing list