subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincent Lefevre <vincent-...@vinc17.net>
Subject Re: ssh+svn vs. bash security bug?
Date Fri, 26 Sep 2014 22:59:00 GMT
On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote:
> From what I understand after reading about the problem briefly:
> 
> In an svn+ssh setup svn clients run 'svnserve -t' by default.
> But there is no reason this could not be changed to '/bin/bash' by
> an attacker.
> 
> Note that forcing a command in the authorized_keys file will *not*
> work around the problem: http://seclists.org/oss-sec/2014/q3/651

How can this be possible? Do you mean that OpenSSH starts the command
with bash instead of some exec* function or /bin/sh (which is dash on
my machines)?

> It should be possible to mitigate this attack vector by having
> svnserve run in an environment that doesn't have bash available,
> either with no bash binary at all on the system, or within a chroot.

The main bug would be that OpenSSH might be able to start bash while
the user has never allowed it.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Mime
View raw message