subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Canfield <andy.canfi...@pimco.mobi>
Subject disable security hole in svn+ssh?
Date Wed, 27 Jul 2011 04:06:48 GMT
I was trying to get http, svn, and svn+ssh to work.

HERE IT IS USING HTTP:
*    svn info http://athol/svn/subdoc
Authentication realm: <http://athol:80> Athol Subversion Repository
Password for 'andy':
Path: subdoc
URL: http://athol/svn/subdoc
Repository Root: http://athol/svn/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)*

HERE IT IS USING SVN:
*    svn info svn://athol/subdoc
Authentication realm: <svn://athol:3690> Subversion svnserve
Password for 'andy':
Path: subdoc
URL: svn://athol/subdoc
Repository Root: svn://athol/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)*

HERE IS THE PROBLEM USING SVN+SSH:
*    svn info svn+ssh://athol/data/svn/subdoc
The authenticity of host 'athol (192.168.1.113)' can't be established.
ECDSA key fingerprint is 4a:9d:73:24:94:24:15:a8:08:0c:cd:59:72:d4:3a:d7.
Are you sure you want to continue connecting (yes/no)? yes
kids@athol's password:
Path: subdoc
URL: svn+ssh://athol/data/svn/subdoc
Repository Root: svn+ssh://athol/data/svn/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)
*
What's 'worse' about it? Well, 'kids' is a valid user name on the 
server; 'kids' can ssh into the server. But 'kids' has no authorization 
to access any Subversion repository in any way. To me this means that 
svn+ssh is a GIGANTIC security hole.

Consider these commands:
*    ssh kids@example.com
     rm -rf /data/svn/subdoc*
They do nothing; user 'kids' has no right to see anything inside the 
/data/svn directory, which is owned by www-data and readable (and 
writable) only by that user.

But consider these commands:
*    mkdir t
     cd t
     svn checkout svn+ssh://example.com/data/svn/subdoc
     svn delete *
**    svn commit*
These will post a revision deleting everything in the repository. And 
this second set of commands relies only on 'kids' being able to log in 
to the server; they need not have any permission to do anything in 
Subversion!

Is there any way to modify things on the server to disable the svn+ssh: 
protocol without disabling either standard ssh or the svn: protocol?


Mime
View raw message