On Thu, Dec 30, 2010 at 05:02:55PM +0200, Daniel Shahaf wrote: > Stefan Sperling wrote on Thu, Dec 30, 2010 at 15:48:16 +0100: > > It would be nice if the outcome of this thread was a document detailing > > requirements and solutions for a secure, apache-only subversion setup > > on a unix system. > > Patch the kernel and sshd to look for ra_svn greeting being on every new > network socket and ssh command?
Heh. No way, having the kernel peep into packets like that would be a severe layering violation! :) > Anyway: what is the attack being prevented here? I gather that for some > reason just saying "The admin won't install svnserve" isn't good enough. Yes, that's why any such document should detail requirements. It should be clear what is being protected, and why. It should also be clear what is not being protected, and why. Stefan
