On 2014-09-27 00:45:19 +0100, Philip Martin wrote: > Vincent Lefevre <vincent-...@vinc17.net> writes: > > How can this be possible? Do you mean that OpenSSH starts the command > > with bash instead of some exec* function or /bin/sh (which is dash on > > my machines)? > > OpenSSH uses the login shell for the user, from session.c: > > /* > * Execute the command using the user's shell. This uses the -c > * option to execute the command. > */ > argv[0] = (char *) shell0; > argv[1] = "-c"; > argv[2] = (char *) command; > argv[3] = NULL; > execve(shell, argv, env); > perror(shell); > exit(1); > > > So an svn+ssh installation can be secured by ensuring that the command > "svnserve -t" is forced and the corresponding login shell is not bash.
which is the case on my server: the login shell of the svn user is /bin/sh (which is a symlink to dash). > Subversion cleans the environment before invoking hooks so any hooks > invoked by svnserve are safe even if those hooks use bash. I also use /bin/sh for hooks anyway. > A patch to add a no-user-shell option to OpenSSH has been suggested: > > http://www.openwall.com/lists/oss-security/2014/09/25/41 > > However if there is no shell then OpenSSH either has to parse the > command itself, which is non-trivial, or there is a restriction that no > parameters are passed to the executable, or there has to be a way of > specifying executable and parameters separately. There could be a restriction that no special characters are used in the command (which would generally be sufficient for Subversion, AFAIK), so that splitting on spaces would be sufficient. > There is a similar driver in Subversion: a shell is used when invoking > the arbitrary, used-defined, --editor-cmd/SVN_EDITOR string so that > Subversion does not have to parse it. This is different from hooks > where a direct exec is used. It there were an option to do an exec, you would be OK for me, because I've set SVN_EDITOR to a full pathname (to a Perl script that is a wrapper to the editor). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
