You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Jon Foster <Jo...@cabot.co.uk> on 2010/05/12 12:07:12 UTC
Possible security problem with svnsync?
Hi,
I have a repository that is partially mirrored, using svnsync and
mod_authz_svn [1]. I just realised that the administrator of the
mirror server can bypass the authz rules I've set up on the master
server. All he has to do is change the svn:sync-from-url property
on the mirror repository to be a file:// URL to the source
repository, rather than a http:// one. The correct file:// URL is
probably guessable.
Using file:// will bypass Apache's authz rules, so only filesystem
permissions are relevant. Since svnsync is being run by the
post-commit hook, it's running on the master server as the apache
user. That user has to have access to the repository files on disk,
because Apache is serving the SVN repository.
If the administrator of the mirror repository wants a full mirror of
all the secret stuff, then they also have to delete and recreate the
mirror repository, and set the revprops on r0 so that svnsync will
do a full sync the next time it is invoked.
Attack #2 (other repositories):
More generally, the administrator of the mirror repository can use
this attack to get a full mirror of ANY repository that svnsync can
access, if they know both the repository URL and UUID. In practise,
the requirement to know the UUID is likely to frustrate most attacks
that are directed against other repositories. (It does not provide
any protection whatsoever against the basic "bypass authz" attack
described earlier in this mail, because the mirror repository's
"svn:sync-from-uuid" property already contains the correct UUID).
But the repository UUID was never intended to be a security-critical
secret - it's included in plaintext in every SVN checkout, and
changing it requires everyone to fix up their working copies.
Possible workarounds:
- Don't run svnsync on the same system as the master repository,
run it on the mirror server instead.
- Run svnsync as a different user that doesn't have access to any
repository files.
Suggested fix:
Please can we change "svnsync sync" to allow both the source and
target URLs to be specified? That rather simple measure would block
this attack. Since svnsync is usually invoked from a script, typing
the extra URL isn't a problem.
(If only one URL is specified, then svnsync should probably behave
as it does today, for backward-compatibility. And we should
document that svnsync trusts the mirror server if you only provide
one URL).
Kind regards,
Jon Foster
[1] This is documented as supported in
http://svn.apache.org/repos/asf/subversion/trunk/notes/svnsync.txt
see "Q: How does svnsync deal with parts of the master repository
that I'm not authorized to read?"
**********************************************************************
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cabot Communications Ltd.
If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone.
Cabot Communications Limited
Verona House, Filwood Road, Bristol BS16 3RY, UK
+44 (0) 1179584232
Co. Registered in England number 02817269
Please contact the sender if you believe you have received this email in error.
**********************************************************************
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Re: Possible security problem with svnsync?
Posted by Greg Hudson <gh...@MIT.EDU>.
I would guess that svnsync was designed under the assumption that it
would be run on the slave repository via a cron job or something. It's
a pull tool, not a push tool.
That said, your suggestion seems reasonable.
(When I've set up replicated repositories using push, I've used svnadmin
dump and svnadmin load, not svnsync. But that doesn't work for your
scenario since it doesn't obey authz rules.)
RE: Possible security problem with svnsync?
Posted by Jon Foster <Jo...@cabot.co.uk>.
Hi,
C. Michael Pilato wrote:
> The proposed solution has been committed to trunk.
That was fast! Many thanks for fixing this.
Kind regards,
Jon
**********************************************************************
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cabot Communications Ltd.
If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone.
Cabot Communications Limited
Verona House, Filwood Road, Bristol BS16 3RY, UK
+44 (0) 1179584232
Co. Registered in England number 02817269
Please contact the sender if you believe you have received this email in error.
**********************************************************************
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
Re: Possible security problem with svnsync?
Posted by "C. Michael Pilato" <cm...@collab.net>.
C. Michael Pilato wrote:
> Peter Samuelson wrote:
>> [Jon Foster]
>>> All he has to do is change the svn:sync-from-url property on the
>>> mirror repository to be a file:// URL to the source repository,
>>> rather than a http:// one. The correct file:// URL is probably
>>> guessable.
>> I'd never thought of this as as security problem, but I _do_ think it's
>> a suboptimal design where a svnsync setup stores state on the mirrored
>> repository which is relative not to the mirror, but to whoever is
>> running svnsync.
>>
>>> Please can we change "svnsync sync" to allow both the source and
>>> target URLs to be specified? That rather simple measure would block
>>> this attack. Since svnsync is usually invoked from a script, typing
>>> the extra URL isn't a problem.
>> Yes, this sounds like a good design anyway, aside from the security
>> question.
>
> I'm coding right now along these lines.
By the way, I'm tracking this is issue #3637[1]. The proposed solution has
been committed to trunk.
[1] http://subversion.tigris.org/issues/show_bug.cgi?id=3637
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
Re: Possible security problem with svnsync?
Posted by "C. Michael Pilato" <cm...@collab.net>.
Peter Samuelson wrote:
> [Jon Foster]
>> All he has to do is change the svn:sync-from-url property on the
>> mirror repository to be a file:// URL to the source repository,
>> rather than a http:// one. The correct file:// URL is probably
>> guessable.
>
> I'd never thought of this as as security problem, but I _do_ think it's
> a suboptimal design where a svnsync setup stores state on the mirrored
> repository which is relative not to the mirror, but to whoever is
> running svnsync.
>
>> Please can we change "svnsync sync" to allow both the source and
>> target URLs to be specified? That rather simple measure would block
>> this attack. Since svnsync is usually invoked from a script, typing
>> the extra URL isn't a problem.
>
> Yes, this sounds like a good design anyway, aside from the security
> question.
I'm coding right now along these lines.
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
Re: Possible security problem with svnsync?
Posted by Peter Samuelson <pe...@p12n.org>.
[Jon Foster]
> All he has to do is change the svn:sync-from-url property on the
> mirror repository to be a file:// URL to the source repository,
> rather than a http:// one. The correct file:// URL is probably
> guessable.
I'd never thought of this as as security problem, but I _do_ think it's
a suboptimal design where a svnsync setup stores state on the mirrored
repository which is relative not to the mirror, but to whoever is
running svnsync.
> Please can we change "svnsync sync" to allow both the source and
> target URLs to be specified? That rather simple measure would block
> this attack. Since svnsync is usually invoked from a script, typing
> the extra URL isn't a problem.
Yes, this sounds like a good design anyway, aside from the security
question.
Peter
Re: Possible security problem with svnsync?
Posted by "C. Michael Pilato" <cm...@collab.net>.
Jon Foster wrote:
> Hi,
>
> I have a repository that is partially mirrored, using svnsync and
> mod_authz_svn [1]. I just realised that the administrator of the
> mirror server can bypass the authz rules I've set up on the master
> server. All he has to do is change the svn:sync-from-url property
> on the mirror repository to be a file:// URL to the source
> repository, rather than a http:// one. The correct file:// URL is
> probably guessable.
Yes, you are correct. If the admin of the mirror server changes the
sync-from URL to a properly guessed file:// URL, then svnsync, when run on
the master server, will read that URL from the mirror and use it for its
sync work, bypassing authz.
> Attack #2 (other repositories):
>
> More generally, the administrator of the mirror repository can use
> this attack to get a full mirror of ANY repository that svnsync can
> access, if they know both the repository URL and UUID. In practise,
> the requirement to know the UUID is likely to frustrate most attacks
> that are directed against other repositories. (It does not provide
> any protection whatsoever against the basic "bypass authz" attack
> described earlier in this mail, because the mirror repository's
> "svn:sync-from-uuid" property already contains the correct UUID).
> But the repository UUID was never intended to be a security-critical
> secret - it's included in plaintext in every SVN checkout, and
> changing it requires everyone to fix up their working copies.
So, you're saying that svnsync, running on the master server via repos1's
hooks, would contact what it thinks is a mirror of repos1 on the mirror
server, read the sync URL (which actually points to file://.../repos2), and
start syncing repos2's data across the wire. Right. Um... Ewww.
> Possible workarounds:
>
> - Don't run svnsync on the same system as the master repository,
> run it on the mirror server instead.
This has high practical costs, though.
> - Run svnsync as a different user that doesn't have access to any
> repository files.
This is a better workaround.
> Suggested fix:
>
> Please can we change "svnsync sync" to allow both the source and
> target URLs to be specified? That rather simple measure would block
> this attack. Since svnsync is usually invoked from a script, typing
> the extra URL isn't a problem.
>
> (If only one URL is specified, then svnsync should probably behave
> as it does today, for backward-compatibility. And we should
> document that svnsync trusts the mirror server if you only provide
> one URL).
This is a very sensible suggestion.
--
C. Michael Pilato <cm...@collab.net>
CollabNet <> www.collab.net <> Distributed Development On Demand
RE: Possible security problem with svnsync?
Posted by Jon Foster <Jo...@cabot.co.uk>.
Hi,
Bob Archer wrote:
> Jon Foster wrote:
> > I have a repository that is partially mirrored, using svnsync and
> > mod_authz_svn [1]. I just realised that the administrator of the
> > mirror server can bypass the authz rules I've set up on the master
> > server. All he has to do is change the svn:sync-from-url property
> > on the mirror repository to be a file:// URL to the source
> > repository, rather than a http:// one. The correct file:// URL is
> > probably guessable.
>
> Well, this has nothing to do with svnsync then does it? If you
> expose the repository file system then yes anyone can access it
> bypassing the server. Even with svn.exe it can be done. you should
> use FS/Network permission so that your repositories are only
> available via your server (http or svn protocols).
I'm not exposing the repository file system to users, and I'm not
giving shell access to users. The only way a user can access this
server is via Apache. However, svnsync is started by the post-commit
hook. (This is the recommended svnsync setup, as far as I can tell).
This means that svnsync is running on the server, as the "apache"
user, which gives it a lot of permissions - including the ability
to directly access the repository files.
The problem is that svnsync trusts the mirror server to give it the
correct source URL.
Kind regards,
Jon Foster
**********************************************************************
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cabot Communications Ltd.
If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone.
Cabot Communications Limited
Verona House, Filwood Road, Bristol BS16 3RY, UK
+44 (0) 1179584232
Co. Registered in England number 02817269
Please contact the sender if you believe you have received this email in error.
**********************************************************************
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
RE: Possible security problem with svnsync?
Posted by Bob Archer <Bo...@amsi.com>.
> I have a repository that is partially mirrored, using svnsync and
> mod_authz_svn [1]. I just realised that the administrator of the
> mirror server can bypass the authz rules I've set up on the master
> server. All he has to do is change the svn:sync-from-url property
> on the mirror repository to be a file:// URL to the source
> repository, rather than a http:// one. The correct file:// URL is
> probably guessable.
Well, this has nothing to do with svnsync then does it? If you expose the repository file system then yes anyone can access it bypassing the server. Even with svn.exe it can be done. you should use FS/Network permission so that your repositories are only available via your server (http or svn protocols).
BOb