subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Lefevre <>
Subject Re: ssh+svn vs. bash security bug?
Date Fri, 26 Sep 2014 22:59:00 GMT
On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote:
> From what I understand after reading about the problem briefly:
> In an svn+ssh setup svn clients run 'svnserve -t' by default.
> But there is no reason this could not be changed to '/bin/bash' by
> an attacker.
> Note that forcing a command in the authorized_keys file will *not*
> work around the problem:

How can this be possible? Do you mean that OpenSSH starts the command
with bash instead of some exec* function or /bin/sh (which is dash on
my machines)?

> It should be possible to mitigate this attack vector by having
> svnserve run in an environment that doesn't have bash available,
> either with no bash binary at all on the system, or within a chroot.

The main bug would be that OpenSSH might be able to start bash while
the user has never allowed it.

Vincent Lefèvre <> - Web: <>
100% accessible validated (X)HTML - Blog: <>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

View raw message