disable security hole in svn+ssh?

Tue, 26 Jul 2011 21:07:50 -0700 

I was trying to get http, svn, and svn+ssh to work.

HERE IT IS USING HTTP:
*    svn info http://athol/svn/subdoc
Authentication realm: <http://athol:80> Athol Subversion Repository
Password for 'andy':
Path: subdoc
URL: http://athol/svn/subdoc
Repository Root: http://athol/svn/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)*

HERE IT IS USING SVN:
*    svn info svn://athol/subdoc
Authentication realm: <svn://athol:3690> Subversion svnserve
Password for 'andy':
Path: subdoc
URL: svn://athol/subdoc
Repository Root: svn://athol/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)*

HERE IS THE PROBLEM USING SVN+SSH:
*    svn info svn+ssh://athol/data/svn/subdoc
The authenticity of host 'athol (192.168.1.113)' can't be established.
ECDSA key fingerprint is 4a:9d:73:24:94:24:15:a8:08:0c:cd:59:72:d4:3a:d7.
Are you sure you want to continue connecting (yes/no)? yes
kids@athol's password:
Path: subdoc
URL: svn+ssh://athol/data/svn/subdoc
Repository Root: svn+ssh://athol/data/svn/subdoc
Repository UUID: 1dd2dddc-19a3-44a7-a91e-dc9b8306a138
Revision: 4
Node Kind: directory
Last Changed Author: andy
Last Changed Rev: 4
Last Changed Date: 2011-07-27 03:27:29 +0700 (Wed, 27 Jul 2011)
*
What's 'worse' about it? Well, 'kids' is a valid user name on the server; 'kids' can ssh into the server. But 'kids' has no authorization to access any Subversion repository in any way. To me this means that svn+ssh is a GIGANTIC security hole. 

Consider these commands:
*    ssh k...@example.com
    rm -rf /data/svn/subdoc*
They do nothing; user 'kids' has no right to see anything inside the /data/svn directory, which is owned by www-data and readable (and writable) only by that user. 

But consider these commands:
*    mkdir t
    cd t
    svn checkout svn+ssh://example.com/data/svn/subdoc
    svn delete *
**    svn commit*
These will post a revision deleting everything in the repository. And this second set of commands relies only on 'kids' being able to log in to the server; they need not have any permission to do anything in Subversion!
Is there any way to modify things on the server to disable the svn+ssh: protocol without disabling either standard ssh or the svn: protocol?

Reply via email to