[HCoop-Discuss] SVN security issues
Max Bowsher
maxb1 at ukf.net
Wed Nov 8 09:10:08 EST 2006
Karl Chen wrote:
>>>>>> On 2006-11-08 01:48 PST, Max Bowsher writes:
>
> Max> Where would you envisage a potential exec helper being
> Max> configured? I suppose in httpd.conf and/or on the
> Max> svnserve command line?
>
> I propose:
> - On startup, record
> char const *svn_hook_helper = getenv("SVN_HOOK_HELPER")
> - In run_hook_cmd() or its callers, prepend svn_hook_helper to the
> exec arguments, if it is not null.
>
> The administrator would configure Apache+mod_dav_svn:
> SetEnv SVN_HOOK_HELPER /path/to/svnhookhelper
Why an environment variable?
They are somewhat transient and often overlooked, and not always easy to
arrange to be set for daemons. Not something I would let anywhere near
security configuration, if I have a choice.
Moreover, the above code sample won't work, since httpd's SetEnv only
sets real environment variables in subprocesses, which mod_dav_svn isn't.
No, if we do this, it definitely has to be a clear part of the server
configuration, I think.
Max.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: OpenPGP digital signature
Url : http://lists.hcoop.net/pipermail/hcoop-discuss/attachments/20061108/eab764fc/attachment.pgp
More information about the HCoop-Discuss
mailing list