svn: svnserve in -t svn+ssh mode does not use config/authz access security

Bug #519083 reported by LimCore on 2010-02-09
This bug affects 1 person
Affects Status Importance Assigned to Milestone
subversion (Ubuntu)

Bug Description

Binary package hint: subversion

In all versions of subversion.

Subversion offers various methods to access the repository, including standard svn:// , also file://
and also svn+ssh.

In svn+ssh access mode, when using ssh public keys (so svnserve -t), the config/authz config access of SVN repository is ignored!

1. this can be surprising behaviour
2. this (using only ssh unix user permission) does not offer same fine-granularity as config/authz

Especially, if someone makes one unix user, and uses pubkeys with -tunel-user so that all developers will ssh into one unix account like svndevel@server, and depending on the ssh key used to login svn user is selected.

In such scenario it will be not at all possible to allow access to only given repos or easly switch all configs around, making new unix users and setting everything up the hard way.

This is not so very clearly documented, this matter is not very obvious even to experiences svn users as I see from talking with few over last months.

Perhaps this can be even considered a security risk, because, switching access method suddenly silently ignores the most obvious-to-use security config file (authz in svn repo dir).

There is no work around, even with scripting, because there is no READ-ACCESS hook, so you could secure only write accesses.

LimCore (limcore) on 2010-02-09
visibility: private → public
LimCore (limcore) wrote :

Removed security tag, I guess it will not be seen as clearly security bug anyway here.

security vulnerability: yes → no
LimCore (limcore) wrote :

Perhaps it's after all undocumented enough to justify security bug?

I dont see no mention of authz not working in SSH tunel mode.

LimCore (limcore) wrote :

My bad, in fact this is documented:

"When running over a tunnel, authorization is primarily controlled by operating system permissions to the repository's database files; it's very much the same as if Harry were accessing the repository directly via a file:// URL"

Would be nice to put some warning in config file and perhaps on connect, same as there is warning about that the password is going to be stored/cached in insecure way.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers