You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Stefan Franck <fr...@informatik.uni-freiburg.de> on 2004/09/21 09:28:17 UTC

Permissions of post-commit hook

Hi,

I have a post-commit script which checks out any www-resources commited 
into the repository on the web server. The script works fine as long as 
daemon (the executor) has writing permissions on the web server. Since 
this is quite unsafe, I wanted to use SGID. Thus the script always runs 
with my group, having perms to write on the webserver but the daemon 
itself does not.
The problem is that by adding the SGID flag to the script, it won't be 
executed anymore. Any ideas why that happens, and how the problem could 
be solved?


Thanks a lot,
Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Permissions of post-commit hook

Posted by Dominic Anello <da...@danky.com>.

On 2004-09-21 11:28:17 +0200, Stefan Franck wrote:
> Hi,
> 
> I have a post-commit script which checks out any www-resources commited 
> into the repository on the web server. The script works fine as long as 
> daemon (the executor) has writing permissions on the web server. Since 
> this is quite unsafe, I wanted to use SGID. Thus the script always runs 
> with my group, having perms to write on the webserver but the daemon 
> itself does not.
> The problem is that by adding the SGID flag to the script, it won't be 
> executed anymore. Any ideas why that happens, and how the problem could 
> be solved?

Please don't take the following as gospel.  Someone with more in-depth
of Linux permissions can probably do better.  This is just what I've
discovered by poking around.

SGID doesn't work on scripts (for security reasons, I guess).  You would
have to make a small SUID root executable that sets the right GID and
calls the script.

Here's an example:
========================================================================
/tmp/test.sh:

#!/bin/sh

umask 002
echo -n "Group: "
id -gn
date >> /home/danello/test.txt

========================================================================
/tmp/test.c:

#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int main(char** argv)
{
    extern int errno;

    /* 501 is group danello */
    if( setgid(501) == -1 )
    {
        printf( "setgid failed with error %i\n", errno );
        return errno;
    }

    /* The file we have to execute as group danello */
    return system( "/tmp/test.sh" );
}

========================================================================
#cd /tmp

# gcc -o test test.c

# chown root:root test; chmod 4755 test

# ls -ld /home/danello /home/danello/test.txt /tmp/test /tmp/test.sh
drwxr-x--x  140 danello  danello      8192 Sep 21 13:40 /home/danello/
-rw-rw-r--    1 danello  danello       174 Sep 21 13:39 /home/danello/test.txt
-rwsr-xr-x    1 root     root        11543 Sep 21 13:32 /tmp/test
-rwxr-xr-x    1 danello  danello        67 Sep 21 11:52 /tmp/test.sh

# su - nobody

$ /tmp/test
Group: danello

$ tail -n 1 /home/danello/test.txt
Tue Sep 21 13:39:25 EDT 2004

$ date
Tue Sep 21 13:39:45 EDT 2004


-- 
I am the sound a balloon makes falling into the sky;
the sweat of a lump of ice in a summer river. 
    -Gene Wolfe