On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote: > From what I understand after reading about the problem briefly: > > In an svn+ssh setup svn clients run 'svnserve -t' by default. > But there is no reason this could not be changed to '/bin/bash' by > an attacker. > > Note that forcing a command in the authorized_keys file will *not* > work around the problem: http://seclists.org/oss-sec/2014/q3/651
How can this be possible? Do you mean that OpenSSH starts the command with bash instead of some exec* function or /bin/sh (which is dash on my machines)? > It should be possible to mitigate this attack vector by having > svnserve run in an environment that doesn't have bash available, > either with no bash binary at all on the system, or within a chroot. The main bug would be that OpenSSH might be able to start bash while the user has never allowed it. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
