On 7/22/2011 10:38 AM, Andy Canfield wrote:
If I set the svnserve program to be owned by APACHE, and setuid and setgid, then whatever svnserve does to any repository will also be done by APACHE. Only root, or the APACHE user, can make this change to the svnserve program binary.
You don't need suid for this. There are normally shell scripts that start system services that are executed as root and can change their uid before starting the program. Apache is an exception because it typically has to open port 80 for listening and ports below 1024 are restricted to root in unix-like systems - so it has to start as root and change its own uid after opening the socket.
If I set the svnadmin program to be owned by APACHE, and setuid and setgid, then whatever svnadmin does to any repository will also be done by APACHE.
I wouldn't do that without auditing the code. If there are any paths of execution that can delete or modify files, making it suid gives any local user the ability to delete/modify your repositories and anything else owned by apache. Normally, the point of running a network service with authentication is to prevent most users from having direct access to the files under control.
Plus, users may want to have their own private subversion repositories that they create with svnadmin and use file:// access in svn.
-- Les Mikesell lesmikes...@gmail.com
