You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Stefan Franck <fr...@informatik.uni-freiburg.de> on 2004/09/21 09:28:17 UTC
Permissions of post-commit hook
Hi,
I have a post-commit script which checks out any www-resources commited
into the repository on the web server. The script works fine as long as
daemon (the executor) has writing permissions on the web server. Since
this is quite unsafe, I wanted to use SGID. Thus the script always runs
with my group, having perms to write on the webserver but the daemon
itself does not.
The problem is that by adding the SGID flag to the script, it won't be
executed anymore. Any ideas why that happens, and how the problem could
be solved?
Thanks a lot,
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Permissions of post-commit hook
Posted by Dominic Anello <da...@danky.com>.
On 2004-09-21 11:28:17 +0200, Stefan Franck wrote:
> Hi,
>
> I have a post-commit script which checks out any www-resources commited
> into the repository on the web server. The script works fine as long as
> daemon (the executor) has writing permissions on the web server. Since
> this is quite unsafe, I wanted to use SGID. Thus the script always runs
> with my group, having perms to write on the webserver but the daemon
> itself does not.
> The problem is that by adding the SGID flag to the script, it won't be
> executed anymore. Any ideas why that happens, and how the problem could
> be solved?
Please don't take the following as gospel. Someone with more in-depth
of Linux permissions can probably do better. This is just what I've
discovered by poking around.
SGID doesn't work on scripts (for security reasons, I guess). You would
have to make a small SUID root executable that sets the right GID and
calls the script.
Here's an example:
========================================================================
/tmp/test.sh:
#!/bin/sh
umask 002
echo -n "Group: "
id -gn
date >> /home/danello/test.txt
========================================================================
/tmp/test.c:
#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
int main(char** argv)
{
extern int errno;
/* 501 is group danello */
if( setgid(501) == -1 )
{
printf( "setgid failed with error %i\n", errno );
return errno;
}
/* The file we have to execute as group danello */
return system( "/tmp/test.sh" );
}
========================================================================
#cd /tmp
# gcc -o test test.c
# chown root:root test; chmod 4755 test
# ls -ld /home/danello /home/danello/test.txt /tmp/test /tmp/test.sh
drwxr-x--x 140 danello danello 8192 Sep 21 13:40 /home/danello/
-rw-rw-r-- 1 danello danello 174 Sep 21 13:39 /home/danello/test.txt
-rwsr-xr-x 1 root root 11543 Sep 21 13:32 /tmp/test
-rwxr-xr-x 1 danello danello 67 Sep 21 11:52 /tmp/test.sh
# su - nobody
$ /tmp/test
Group: danello
$ tail -n 1 /home/danello/test.txt
Tue Sep 21 13:39:25 EDT 2004
$ date
Tue Sep 21 13:39:45 EDT 2004
--
I am the sound a balloon makes falling into the sky;
the sweat of a lump of ice in a summer river.
-Gene Wolfe