How much libsvn_repos wrap around the libsvn_fs

[Nitin Shukla <ni...@infotech.stph.net>]

Hello,

Subversion as I know now has libsvn_repos APIs to act as a wrapper over the
File System library, but this is not a complete wrapper around the
filesystem interface. At present events like creation and commit of
Subversion transactions, and the modification of revision properties are
wrapped by repository interface. This is done because they have hooks
associated with them. It is also said that in future there would be others
events which may be wrapped by repository interface.

I am interested in knowing what are the other events which will be
interfaced by the repository access library, as these would empower hooks to
have fine control over the access to the repository? What does the initial
release and the subsequent release of Subversion intend to have in
particular to the repository interface having the wrapper over the file
system library.

Thanks in anticipation,
Nitin.

Re: How much libsvn_repos wrap around the libsvn_fs

[Michael Wood <mw...@its.uct.ac.za>]

On Fri, Jan 03, 2003 at 11:42:56AM +0100, Branko ??ibej wrote:
> Michael Wood wrote:
> 
> >On Fri, Jan 03, 2003 at 12:37:07PM +0530, Nitin Shukla wrote:
> >[snip]
> >
> >>this would require an ACL system inherent to libsvn_fs.  Probably, I
> >>am asking too much and trying to figure out something impossible.
> >>    
> >>
> >
> >Indeed :)  Concentrate on ra_dav and ra_svn instead and ignore ra_local
> >as far as ACLs are concerned.
> >
> 
> Just a note here -- any ACL system we implement within Subversion will
> have to be inherent to libsvn_fs in any case, so that all RA methods
> can use it. Sure, it'll be more or less advisory for ra_local.

Yes, sorry, I didn't mean to imply that ACLs could/should not be
"inherent to" libsvn_fs.

-- 
Michael Wood <mw...@its.uct.ac.za>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Michael Wood <mw...@its.uct.ac.za>]

On Fri, Jan 03, 2003 at 01:35:10PM -0500, Seth W. Klein wrote:
> Branko ??ibej <br...@xbc.nu> wrote:
[snip]
> > Just a note here -- any ACL system we implement within Subversion
> > will have to be inherent to libsvn_fs in any case, so that all RA
> > methods can use it. Sure, it'll be more or less advisory for
> > ra_local.
> 
> Does this remain true even if the svn binary is suid svn and the
> repository is writeable only by that user?
[snip]

Well, I doubt Subversion was ever meant to be run setuid.  In general,
it's a very bad idea to run anything setuid that wasn't designed to run
setuid.

If you ran svn setuid to "svn" and had the repository only writable by
"svn," it would add another layer of protection to your repository, but
I'd still be more inclined to trust ra_svn or ra_dav.

Actually, I've just thought of a trivial exploit.  Set EDITOR to /bin/sh
and run a commit of something.  You shouldn't even need commit access,
since the editor gets called before the client knows whether or not
you're allowed to commit.  When your "/bin/sh" "editor" gets run, you
have a shell with the permissions of your "svn" user.  You can now run
your hacked client to subvert any ACLs.

-- 
Michael Wood <mw...@its.uct.ac.za>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Branko Čibej <br...@xbc.nu>]

Colin Watson wrote:

>On Fri, Jan 03, 2003 at 08:37:55PM +0100, Branko ??ibej wrote:
>  
>
>>Seth W. Klein wrote:
>>    
>>
>>>Branko ????ibej <br...@xbc.nu> wrote:
>>>      
>>>
>>>>Just a note here -- any ACL system we implement within Subversion will
>>>>have to be inherent to libsvn_fs in any case, so that all RA methods can
>>>>use it. Sure, it'll be more or less advisory for ra_local.
>>>>        
>>>>
>>>Does this remain true even if the svn binary is suid svn and the
>>>repository is writeable only by that user?
>>>      
>>>
>>Of course. If you do that, getuid() will always return "svn", and how
>>else will you authenticate a local user?
>>    
>>
>
>No, getuid() will return the calling user's uid. geteuid() will return
>the uid of the svn user.
>

Hey, that's right. Well, I suppose having a setuid client would work on
Unix, then.

-- 
Brane Čibej   <br...@xbc.nu>   http://www.xbc.nu/brane/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Colin Watson <cj...@flatline.org.uk>]

On Fri, Jan 03, 2003 at 08:37:55PM +0100, Branko ??ibej wrote:
> Seth W. Klein wrote:
> >Branko ????ibej <br...@xbc.nu> wrote:
> >>Just a note here -- any ACL system we implement within Subversion will
> >>have to be inherent to libsvn_fs in any case, so that all RA methods can
> >>use it. Sure, it'll be more or less advisory for ra_local.
> >
> >Does this remain true even if the svn binary is suid svn and the
> >repository is writeable only by that user?
> 
> Of course. If you do that, getuid() will always return "svn", and how
> else will you authenticate a local user?

No, getuid() will return the calling user's uid. geteuid() will return
the uid of the svn user.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Branko Čibej <br...@xbc.nu>]

Seth W. Klein wrote:

>Branko ÄŒibej <br...@xbc.nu> wrote:
>  
>
>>Michael Wood wrote:
>>    
>>
>>>On Fri, Jan 03, 2003 at 12:37:07PM +0530, Nitin Shukla wrote:
>>>[snip]
>>>
>>>      
>>>
>>>>this would require an ACL system inherent to libsvn_fs.  Probably, I
>>>>am asking too much and trying to figure out something impossible.
>>>>        
>>>>
>>>Indeed :)  Concentrate on ra_dav and ra_svn instead and ignore ra_local
>>>as far as ACLs are concerned.
>>>      
>>>
>>Just a note here -- any ACL system we implement within Subversion will
>>have to be inherent to libsvn_fs in any case, so that all RA methods can
>>use it. Sure, it'll be more or less advisory for ra_local.
>>    
>>
>
>Does this remain true even if the svn binary is suid svn and the
>repository is writeable only by that user?
>  
>

Of course. If you do that, getuid() will always return "svn", and how
else will you authenticate a local user?

-- 
Brane Čibej   <br...@xbc.nu>   http://www.xbc.nu/brane/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

["Seth W. Klein" <sk...@sethwklein.net>]

Branko Čibej <br...@xbc.nu> wrote:
> Michael Wood wrote:
> >On Fri, Jan 03, 2003 at 12:37:07PM +0530, Nitin Shukla wrote:
> >[snip]
> >
> >>this would require an ACL system inherent to libsvn_fs.  Probably, I
> >>am asking too much and trying to figure out something impossible.
> >
> >Indeed :)  Concentrate on ra_dav and ra_svn instead and ignore ra_local
> >as far as ACLs are concerned.
> 
> Just a note here -- any ACL system we implement within Subversion will
> have to be inherent to libsvn_fs in any case, so that all RA methods can
> use it. Sure, it'll be more or less advisory for ra_local.

Does this remain true even if the svn binary is suid svn and the
repository is writeable only by that user?

cheers,
Seth W. Klein
-- 
sk@sethwklein.net                             http://www.sethwklein.net/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Branko Čibej <br...@xbc.nu>]

Michael Wood wrote:

>On Fri, Jan 03, 2003 at 12:37:07PM +0530, Nitin Shukla wrote:
>[snip]
>
>>this would require an ACL system inherent to libsvn_fs.  Probably, I
>>am asking too much and trying to figure out something impossible.
>>    
>>
>
>Indeed :)  Concentrate on ra_dav and ra_svn instead and ignore ra_local
>as far as ACLs are concerned.
>

Just a note here -- any ACL system we implement within Subversion will
have to be inherent to libsvn_fs in any case, so that all RA methods can
use it. Sure, it'll be more or less advisory for ra_local.


-- 
Brane Čibej   <br...@xbc.nu>   http://www.xbc.nu/brane/


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Michael Wood <mw...@its.uct.ac.za>]

On Fri, Jan 03, 2003 at 12:37:07PM +0530, Nitin Shukla wrote:
[snip]
> Indeed the access control is ultimately governed by OS file
> permissions. Is there a way of setting OS level file and folder
> permissions for every files and folder we check into the Subversion
> repository, say something similar to Unix style permission. Guess,

No, because the files are not stored separately in the repository as
files in a Unix filesystem.  They are stored in a Berkeley DB database.
If you have read access to the Berkeley DB database files, you can get
access to their contents.  There's no way to say that you can only
access certain parts of the Berkeley DB database.

> this would require an ACL system inherent to libsvn_fs.  Probably, I
> am asking too much and trying to figure out something impossible.

Indeed :)  Concentrate on ra_dav and ra_svn instead and ignore ra_local
as far as ACLs are concerned.

> ra_local really looks to be insecure by design. Does Subversion intend
> to eliminate this method of accessing repository in future version of
> subversion and probably use ra_svn even for local access.
[snip]

Not as far as I know.  As far as I am concerned, ra_local is really for
single user use (in which case ACLs don't make very much sense, except
for helping to minimise mistakes, like committing to a tag.)

If you want to use ra_local for multi-user access, then you have to
trust your users.  If you want "proper" multi-user access, use ra_svn or
ra_dav, which can enforce the ACLs.

There's no reason to do away with ra_local, just because some people
need multi-user access with ACLs.  There are still people who will just
want a small single-user repository for their own private stuff.  Why
force them to use ra_svn or ra_dav when ra_local will do nicely?

-- 
Michael Wood <mw...@its.uct.ac.za>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Michael Wood <mw...@its.uct.ac.za>]

On Thu, Dec 26, 2002 at 03:02:44PM -0600, Karl Fogel wrote:
> "Nitin Shukla" <ni...@infotech.stph.net> writes:
> > Apache can handle request for remote svn client. We can solve the
> > problem of Access Control with your approach. But how do we go about
> > handling the local svn client requests? One approach seems to be the
> > hook programs but currently they are not sufficient hook programs to
> > provide read, write control.
> 
> Nitin, are you aware that local (`ra_local') access control is
> ultimately governed by OS file permissions?  Even if Subversion had
> ACLs, they would only be secure over ra_local with a friendly client.
> Anyone could bypass the access control with a little ingenuity.
> 
> There's really no way around this problem, if the client is on the
> same machine as the repository.

In other words, ra_local is insecure by design if you want multiple
people to access it and also have access restrictions to certain parts
of the tree etc.

I suppose people should use ra_svn instead if they want a "local"
repository with ACLs.  (Of course ra_svn isn't really local, but you
could run it on the same machine as the clients.)

(er... in case anyone's wondering, I do know that ACLs aren't yet
implemented :)

-- 
Michael Wood <mw...@its.uct.ac.za>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: How much libsvn_repos wrap around the libsvn_fs

[Nitin Shukla <ni...@infotech.stph.net>]

"Nitin Shukla" <ni...@infotech.stph.net> writes:
> Apache can handle request for remote svn client. We can solve the problem
of
> Access
> Control with your approach. But how do we go about handling the local svn
> client
> requests? One approach seems to be the hook programs but currently they
are
> not
> sufficient hook programs to provide read, write control.

Nitin, are you aware that local (`ra_local') access control is
ultimately governed by OS file permissions?  Even if Subversion had
ACLs, they would only be secure over ra_local with a friendly client.
Anyone could bypass the access control with a little ingenuity.

There's really no way around this problem, if the client is on the
same machine as the repository.


Indeed the access control is ultimately governed by OS file permissions. Is
there
a way of setting OS level file and folder permissions for every files and
folder
we check into the Subversion repository, say something similar to Unix style
permission. Guess, this would require an ACL system inherent to libsvn_fs.
Probably, I am asking too much and trying to figure out something
impossible.

ra_local really looks to be insecure by design. Does Subversion intend to
eliminate
this method of accessing repository in future version of subversion and
probably use
ra_svn even for local access.

Finally, when is the Subversion 1.0 or beta version intended to be released?

Nitin.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Karl Fogel <kf...@newton.ch.collab.net>]

"Nitin Shukla" <ni...@infotech.stph.net> writes:
> Apache can handle request for remote svn client. We can solve the problem of
> Access
> Control with your approach. But how do we go about handling the local svn
> client
> requests? One approach seems to be the hook programs but currently they are
> not
> sufficient hook programs to provide read, write control.

Nitin, are you aware that local (`ra_local') access control is
ultimately governed by OS file permissions?  Even if Subversion had
ACLs, they would only be secure over ra_local with a friendly client.
Anyone could bypass the access control with a little ingenuity.

There's really no way around this problem, if the client is on the
same machine as the repository.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Rajini <ra...@infotech.stph.net>]

Apache is used only to authorize the remote user accessing the repository
via Internet. In the case of local user access to repository, Apache is not
coming in picture. To authorize the local user request, subversion supports
the templetes for hook scripts which will only athorize the user request for
commit operations. If anyone knows how to implement the read and write
sentinels in Subversion then I think the local user request accessing for a
resource can be authorized by these read and write sentinels. Please keep in
mind that the protocol for implementing the read and write sentinels is yet
to be implemented.

----- Original Message -----
From: "Nitin Shukla" <ni...@infotech.stph.net>
To: "'emf'" <i...@mindlace.net>; <de...@subversion.tigris.org>
Sent: Thursday, December 26, 2002 12:59 PM
Subject: RE: How much libsvn_repos wrap around the libsvn_fs


> Nitin Shukla wrote:
> > Has there been any approach to develop the read hook scripts
> > I know that the read sentinels are yet to be implemented and
> > is supposed to communicate with the Subversion server using
> > protocol which not decided yet. Probably LDAP can be used
> > if we can make Subversion server understand LDAP protocols.
> > If anyone has thought any approach i.e. developing read hook
> > scripts and/or implementing the read sentinels pls. update me.
>
> ~mindlace wrote:
> I don't understand why you're trying to solve this problem in subversion;
it
> seems like the place to handle this is apache. Having per-path permissions
> checking would be relatively easy to implement with, for example,
mod_python
> (or
> mod_perl, if that's your preference) which could call out to LDAP or
> whatever
> external permission-storing mechanism you want to use.
>
> Apache can handle request for remote svn client. We can solve the problem
of
> Access
> Control with your approach. But how do we go about handling the local svn
> client
> requests? One approach seems to be the hook programs but currently they
are
> not
> sufficient hook programs to provide read, write control.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: How much libsvn_repos wrap around the libsvn_fs

[Nitin Shukla <ni...@infotech.stph.net>]

Nitin Shukla wrote:
> Has there been any approach to develop the read hook scripts
> I know that the read sentinels are yet to be implemented and
> is supposed to communicate with the Subversion server using
> protocol which not decided yet. Probably LDAP can be used
> if we can make Subversion server understand LDAP protocols.
> If anyone has thought any approach i.e. developing read hook
> scripts and/or implementing the read sentinels pls. update me.

~mindlace wrote:
I don't understand why you're trying to solve this problem in subversion; it
seems like the place to handle this is apache. Having per-path permissions
checking would be relatively easy to implement with, for example, mod_python
(or
mod_perl, if that's your preference) which could call out to LDAP or
whatever
external permission-storing mechanism you want to use.

Apache can handle request for remote svn client. We can solve the problem of
Access
Control with your approach. But how do we go about handling the local svn
client
requests? One approach seems to be the hook programs but currently they are
not
sufficient hook programs to provide read, write control.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[emf <i...@mindlace.net>]

Nitin Shukla wrote:
> Has there been any approach to develop the read hook scripts
> I know that the read sentinels are yet to be implemented and
> is supposed to communicate with the Subversion server using
> protocol which not decided yet. Probably LDAP can be used
> if we can make Subversion server understand LDAP protocols.
> If anyone has thought any approach i.e. developing read hook
> scripts and/or implementing the read sentinels pls. update me.

I don't understand why you're trying to solve this problem in subversion; it 
seems like the place to handle this is apache. Having per-path permissions 
checking would be relatively easy to implement with, for example, mod_python (or 
mod_perl, if that's your preference) which could call out to LDAP or whatever 
external permission-storing mechanism you want to use.

~mindlace


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Karl Fogel <kf...@newton.ch.collab.net>]

"Nitin Shukla" <ni...@infotech.stph.net> writes:
> Has there been any approach to develop the read hook scripts?
> I know that the read sentinels are yet to be implemented and
> is supposed to communicate with the Subversion server using
> protocol which not decided yet. Probably LDAP can be used
> if we can make Subversion server understand LDAP protocols.
> If anyone has thought any approach i.e. developing read hook
> scripts and/or implementing the read sentinels pls. update me.
> Is there any such work going on in the Subversion Development
> community?

No; we've pretty much let them lie, and probably will continue to do
so until after 1.0, since there's a whole protocol to design here.

If you'll be using ra_dav, then I'd recommend doing access control via
Apache, since it's there for free (I doubt that Greg Hudson wants to
add ACLs to ra_svn independently of some future core Subversion ACL
system, though I could be wrong there).

Note that true access control is impossible over ra_local, since the
controlling factor there is OS file permissions.  All Subversion can
do in the ra_local case is make it more or less convenient to get at
the data.

-K

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: How much libsvn_repos wrap around the libsvn_fs

[Nitin Shukla <ni...@infotech.stph.net>]

Has there been any approach to develop the read hook scripts?
I know that the read sentinels are yet to be implemented and
is supposed to communicate with the Subversion server using
protocol which not decided yet. Probably LDAP can be used
if we can make Subversion server understand LDAP protocols.
If anyone has thought any approach i.e. developing read hook
scripts and/or implementing the read sentinels pls. update me.
Is there any such work going on in the Subversion Development
community?


"Nitin Shukla" <ni...@infotech.stph.net> writes:

> I am interested in knowing what are the other events which will be
> interfaced by the repository access library, as these would empower hooks
to
> have fine control over the access to the repository?

Someday we hope to have not just 'write' hooks (start-commit,
pre-commit, post-commit), but 'read' hooks as well: these would
somehow create pipes to long-running hook processes (we call them
"sentinels") that would allow or disallow clients to read specific
paths in the repository.

Nitin, maybe we should cut to the chase here.  :-) I know that you've
been assigned to implement some kind of fine-grained ACL system on top
of Subversion.  There are three ways you can do this, I believe, in
increasing order of complexity:

1.  Write an custom apache module to do authentication of every
    incoming HTTP request to the Subversion repository.  Your apache
    module could speak to a database containing ACLs.  It's easy for
    your module to distinguish between read requests (GET, PROPFIND,
    OPTIONS, REPORT) and write requests (PUT, PROPPATCH, COPY, etc.)

2.  Write some complex write-hook programs, using the existing hook
    feature in libsvn_repos.  Presumably these write-hook programs
    would also speak to a database containing ACL information.  That's
    the easy part: the harder part is the fact that we don't yet have
    any read-hooks.  We'd need to design that feature and add it to
    libsvn_repos.

3.  Design an ACL system that is inherent to libsvn_fs.  This is the
    difficult theoretical problem that nobody has been able to tackle
    yet.  It's very hard.




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: How much libsvn_repos wrap around the libsvn_fs

[Ben Collins-Sussman <su...@collab.net>]

"Nitin Shukla" <ni...@infotech.stph.net> writes:

> I am interested in knowing what are the other events which will be
> interfaced by the repository access library, as these would empower hooks to
> have fine control over the access to the repository?

Someday we hope to have not just 'write' hooks (start-commit,
pre-commit, post-commit), but 'read' hooks as well: these would
somehow create pipes to long-running hook processes (we call them
"sentinels") that would allow or disallow clients to read specific
paths in the repository.

Nitin, maybe we should cut to the chase here.  :-) I know that you've
been assigned to implement some kind of fine-grained ACL system on top
of Subversion.  There are three ways you can do this, I believe, in
increasing order of complexity:

1.  Write an custom apache module to do authentication of every
    incoming HTTP request to the Subversion repository.  Your apache
    module could speak to a database containing ACLs.  It's easy for
    your module to distinguish between read requests (GET, PROPFIND,
    OPTIONS, REPORT) and write requests (PUT, PROPPATCH, COPY, etc.)

2.  Write some complex write-hook programs, using the existing hook
    feature in libsvn_repos.  Presumably these write-hook programs
    would also speak to a database containing ACL information.  That's
    the easy part: the harder part is the fact that we don't yet have
    any read-hooks.  We'd need to design that feature and add it to
    libsvn_repos.

3.  Design an ACL system that is inherent to libsvn_fs.  This is the
    difficult theoretical problem that nobody has been able to tackle
    yet.  It's very hard.




---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org