Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 238347

Summary: dev-util/subversion-1.5.2.ebuild: repository permissions are too broad
Product: Gentoo Linux Reporter: Peter Kolbus <peter.kolbus>
Component: [OLD] DevelopmentAssignee: Benedikt Böhm (RETIRED) <hollow>
Status: RESOLVED FIXED    
Severity: normal CC: arfrever
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: subversion-1.5.4.ebuild.patch

Description Peter Kolbus 2008-09-22 01:52:46 UTC 
I'm setting up a svn server on top of Gentoo, and noticed that the default repository permissions are too broad.  To harden access:

1. The repository permissions in "svn over ssh" should be applied to all access types; namely that only root should be able to edit conf and hooks, and only svnusers can write the db.
2. It should be noted that the membership of the svnusers group should be limited as much as possible: to users svn (for svn:// access), apache (for access via apache2), and svn+ssh users (for local or svn+ssh access).
2a. It should also be noted that svnusers membership is not required to use svn locally to access repositories on other systems.
3. chmod -R o-rwx    /var/svn.  The world has no business reading svn data, and for svnserve access, there may be plaintext passwords present for all users.
4. Likewise, the umask for the wrapper should be 007 not 002.

If you prefer this as a patch to the ebuild, let me know...


Reproducible: Always

Steps to Reproduce:
1. emerge subversion
2. Read the elog output.
3. emerge --config subversion


Actual Results:  
A subversion repository was configured in an insecure manner.

Expected Results:  
The installation should have created a repository using the principle of least privilege.
Comment 1 Benedikt Böhm (RETIRED) gentoo-dev 2008-10-25 12:42:22 UTC 
(In reply to comment #0)
> If you prefer this as a patch to the ebuild, let me know...

yes, please
Comment 2 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2008-11-12 01:24:13 UTC 
Created attachment 171494 [details, diff]
subversion-1.5.4.ebuild.patch
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2008-11-12 01:27:31 UTC 
(In reply to comment #0)
> 2. It should be noted that the membership of the svnusers group should be
> limited as much as possible: to users svn (for svn:// access), apache (for
> access via apache2), and svn+ssh users (for local or svn+ssh access).

The "svnusers" group is used only when svnserve (svn://) or svnserve+ssh (svn+ssh://) is used.
Apache uses user "apache" and group "apache".
Comment 4 Benedikt Böhm (RETIRED) gentoo-dev 2008-11-16 14:25:45 UTC 
fixed, thanks