empty pre-commit hook fails with svn+ssh with some accounts
We have a rather unique setup to meet certain requirements and as a result I can't get any hooks to work (even empty ones or ones that just exit with a zero return code). In short, we have a repository owned by one user that is accessed by tunneling over ssh to other user accounts. To get around the permission issues, the setuid bit is set on /usr/bin/svnserve for the user that owns the repository. Everything works fine except hooks regardless of what permissions I give them or what the script does. The hooks work fine though if I ssh to the user account that owns the repository rather than another user account (we can't operate that way though). Everything else from the other user accounts works fine. Also, running the pre-commit hook from the other user accounts using an empty environment works fine too. All the scripts are bash scripts. All systems are RHEL 5.5 using svn 1.4. Any ideas? Thanks. - Daniel
Re: empty pre-commit hook fails with svn+ssh with some accounts
On Thu, Jul 21, 2011 at 9:36 AM, Daniel Neuberger daniel.neuber...@gmail.com wrote: We have a rather unique setup to meet certain requirements and as a result I can't get any hooks to work (even empty ones or ones that just exit with a zero return code). In short, we have a repository owned by one user that is accessed by tunneling over ssh to other user accounts. To get around the permission issues, the setuid bit is set on /usr/bin/svnserve for the user that owns the repository. Everything works fine except hooks regardless of what permissions I give them or what the script does. The hooks work fine though if I ssh to the user account that owns the repository rather than another user account (we can't operate that way though). Everything else from the other user accounts works fine. Also, running the pre-commit hook from the other user accounts using an empty environment works fine too. All the scripts are bash scripts. All systems are RHEL 5.5 using svn 1.4. Stop *RIGHT* there. Go grab the Subverson 1.6.x from the RHEL updates. Do not pass go, do not collect $200 until you do this sitewide. There are significant security and performance improvements, well worth the update pain. That said, putting suid bits on svnserve is just begging for confusing pain in a configuration that no one has been using. Can you not use the svn+ssh shared account access, with SSH keys restricted to svnserve tunnel access, as documented in the Subversion Red Book?
Re: empty pre-commit hook fails with svn+ssh with some accounts
On Thu, Jul 21, 2011 at 10:51 AM, Nico Kadel-Garcia nka...@gmail.com wrote: Stop *RIGHT* there. Go grab the Subverson 1.6.x from the RHEL updates. Do not pass go, do not collect $200 until you do this sitewide. There are significant security and performance improvements, well worth the update pain. Okay, we plan to do that asap, but it will take at least a little time. In the meantime, there's no reason to believe that's causing my problem though, right? That said, putting suid bits on svnserve is just begging for confusing pain in a configuration that no one has been using. Can you not use the svn+ssh shared account access, with SSH keys restricted to svnserve tunnel access, as documented in the Subversion Red Book? That's what we're doing but the repository is owned by a separate user as an additional security measure so that if someone somehow gains shell access to the shared account, they won't be able to delete the repository or anything like that. Do you think there's anyway to make it work this way? Thanks for the help. - Daniel
Re: empty pre-commit hook fails with svn+ssh with some accounts
On Thu, Jul 21, 2011 at 11:01 AM, Daniel Shahaf d...@daniel.shahaf.name wrote: ls -ald $REPOS_DIR $REPOS_DIR/hooks/ $REPOS_DIR/hooks/pre-commit $ ls -ald repos/testrepo repos/testrepo/hooks/ repos/testrepo/hooks/pre-commit drwxrwxrwx 7 svnuser svnuser 4096 Jul 20 13:03 repos/testrepo drwxrwxrwx 2 svnuser svnuser 4096 Jul 21 05:31 repos/testrepo/hooks/ -rwxrwxrwx 1 svnuser svnuser 44 Jul 21 05:15 repos/testrepo/hooks/pre-commit Since nothing else was working, I gave full permissions to everyone, but it's still not working. Thanks. - Daniel
Re: empty pre-commit hook fails with svn+ssh with some accounts
2011/7/21 Daniel Neuberger daniel.neuber...@gmail.com: In short, we have a repository owned by one user that is accessed by tunneling over ssh to other user accounts. Can't comment on this. The hooks work fine though if I ssh to the user account that owns the repository rather than another user account (we can't operate that way though). All the scripts are bash scripts. All systems are RHEL 5.5 using svn 1.4. The scripts have execute permissions for those other users? Maybe svn cannot find bash to execute those scripts? Consider what happens when you run with empty PATH. One known example is the tasks run by cron. Have you looked into system-wide logs (for issues like SELinux warnings)? Best regards, Konstantin Kolinko
Re: empty pre-commit hook fails with svn+ssh with some accounts
On Thu, Jul 21, 2011 at 11:16 AM, Konstantin Kolinko knst.koli...@gmail.com wrote: The scripts have execute permissions for those other users? Yes. Maybe svn cannot find bash to execute those scripts? Consider what happens when you run with empty PATH. One known example is the tasks run by cron. The same script works though when logging into the repo-owner account, so I don't think that's the problem. Also, the full path is specified in the hashbang. Obviously, setting the PATH in the script wouldn't change anything, do you have other ideas though? Have you looked into system-wide logs (for issues like SELinux warnings)? Yes and there's nothing of interest. Thanks! - Daniel
Re: empty pre-commit hook fails with svn+ssh with some accounts
On Thu, Jul 21, 2011 at 2:13 PM, Nico Kadel-Garcia nka...@gmail.com wrote: Don't give the shared svn user a valid shell If an administrator needs to run operations as that user, to manipulate config files or create new repositories, they can do sudo -s -H -u svn to get a valid shell as the administrative user. Sudo can even be configured to allow designated users such administrative access without requing local root privileges at all. Hmm, why didn't I think of that? It doesn't seem to work though. Setting the shell to /bin/nologin or even just fakeshell breaks everything. Is there another way to give an invalid shell?
Re: empty pre-commit hook fails with svn+ssh with some accounts
On 7/21/2011 4:00 PM, Daniel Neuberger wrote: On Thu, Jul 21, 2011 at 2:13 PM, Nico Kadel-Garcianka...@gmail.com wrote: Don't give the shared svn user a valid shell If an administrator needs to run operations as that user, to manipulate config files or create new repositories, they can do sudo -s -H -u svn to get a valid shell as the administrative user. Sudo can even be configured to allow designated users such administrative access without requing local root privileges at all. Hmm, why didn't I think of that? It doesn't seem to work though. Setting the shell to /bin/nologin or even just fakeshell breaks everything. Is there another way to give an invalid shell? How about /bin/false? This is the shell defined for all of the non-login (e.g. daemon) accounts on my machines. -- David Chapman dcchap...@acm.org Chapman Consulting -- San Jose, CA
Re: empty pre-commit hook fails with svn+ssh with some accounts
On Thu, Jul 21, 2011 at 7:24 PM, David Chapman dcchap...@acm.org wrote: On 7/21/2011 4:00 PM, Daniel Neuberger wrote: On Thu, Jul 21, 2011 at 2:13 PM, Nico Kadel-Garcianka...@gmail.com wrote: Don't give the shared svn user a valid shell If an administrator needs to run operations as that user, to manipulate config files or create new repositories, they can do sudo -s -H -u svn to get a valid shell as the administrative user. Sudo can even be configured to allow designated users such administrative access without requing local root privileges at all. Hmm, why didn't I think of that? It doesn't seem to work though. Setting the shell to /bin/nologin or even just fakeshell breaks everything. Is there another way to give an invalid shell? How about /bin/false? This is the shell defined for all of the non-login (e.g. daemon) accounts on my machines. Depends on local system requirements. /sbin//nologin is common for system accounts, such as www-data and named on UNIX and Linux ystems, that don't need root access nor a valid user shell. It can even be listed in /etc/shells as a valid shell to permit certain oddball authentication setups to work well.