You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Greg Hudson <gh...@MIT.EDU> on 2004/12/20 20:10:58 UTC
Hook scripts run with empty environment
We appear to run hook scripts with a totally empty environment,
instead of inheriting the environment of the svn process. Is there a
reason for this?
(The mechanics of doing this appear to date back to r1189, where we
made it possible to run a program with an inherited environment but
opted not to do so for hook scripts.)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by John Peacock <jp...@rowman.com>.
Greg Hudson wrote:
> We appear to run hook scripts with a totally empty environment,
> instead of inheriting the environment of the svn process. Is there a
> reason for this?
Security (see: false sense of)? I know I'd prefer to have the svnserve
execute hook scripts with its own current environment, since it means my
hook script doesn't need to set everything manually.
John
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5748
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by Ben Collins-Sussman <su...@collab.net>.
On Jan 16, 2005, at 1:14 AM, kfogel@collab.net wrote:
> Faheem Mitha <fa...@email.unc.edu> writes:
>> I just ran into this problem (in the context of file:// and
>> svn+ssh://).
>>
>> It took me a while to track down because I am so used to taking for
>> granted that shell scripts inherit environmental variables.
>>
>> If you are not planning to change this, I suggest you put suitable
>> warnings in the template files in the hook subdirectory of the
>> repository. Most people look at these before creating their own hook
>> scripts.
>
> The hook templates now contain a warning about this (see r12745).
> Thanks to you and others for the suggestion.
>
> -Karl
>
Chapter 5 in the book now also mentions this, as of last weekend.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by kf...@collab.net.
Faheem Mitha <fa...@email.unc.edu> writes:
> I just ran into this problem (in the context of file:// and
> svn+ssh://).
>
> It took me a while to track down because I am so used to taking for
> granted that shell scripts inherit environmental variables.
>
> If you are not planning to change this, I suggest you put suitable
> warnings in the template files in the hook subdirectory of the
> repository. Most people look at these before creating their own hook
> scripts.
The hook templates now contain a warning about this (see r12745).
Thanks to you and others for the suggestion.
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by Faheem Mitha <fa...@email.unc.edu>.
On Wed, 22 Dec 2004 14:22:45 -0500, Greg Hudson <gh...@MIT.EDU> wrote:
> On Wed, 2004-12-22 at 14:15, Justin Erenkrantz wrote:
>> Yes, it does. httpd always resets the environment for CGI scripts except for
>> a very small subset of environment variables. Most notably, PATH is retained:
>> see ap_add_common_vars in util_script.c. And, even then the #1 complaint we
>> always get with respect to CGI scripts is that the PATH differs from user to
>> user depending upon who starts it. (This causes chaos when you use sudo, etc.)
>
> Interesting. (That's one of the motivations of djb's daemontool's
> package, incidentally, but insisting on starting everything from init is
> probably overkill.)
>
> I still feel that it's pretty bogus in the case of file:// and
> svn+ssh://. Not sure how to differentiate between those cases, though.
I just ran into this problem (in the context of file:// and
svn+ssh://).
It took me a while to track down because I am so used to taking for
granted that shell scripts inherit environmental variables.
If you are not planning to change this, I suggest you put suitable
warnings in the template files in the hook subdirectory of the
repository. Most people look at these before creating their own hook
scripts.
Faheem.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by Greg Hudson <gh...@MIT.EDU>.
On Wed, 2004-12-22 at 14:15, Justin Erenkrantz wrote:
> Yes, it does. httpd always resets the environment for CGI scripts except for
> a very small subset of environment variables. Most notably, PATH is retained:
> see ap_add_common_vars in util_script.c. And, even then the #1 complaint we
> always get with respect to CGI scripts is that the PATH differs from user to
> user depending upon who starts it. (This causes chaos when you use sudo, etc.)
Interesting. (That's one of the motivations of djb's daemontool's
package, incidentally, but insisting on starting everything from init is
probably overkill.)
I still feel that it's pretty bogus in the case of file:// and
svn+ssh://. Not sure how to differentiate between those cases, though.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
--On Wednesday, December 22, 2004 2:01 PM -0500 Greg Hudson <gh...@MIT.EDU>
wrote:
> But doesn't the same argument apply to Subversion itself? And to CGI
> scripts which are run by httpd? httpd doesn't empty out the environment
> for those, does it?
Yes, it does. httpd always resets the environment for CGI scripts except for
a very small subset of environment variables. Most notably, PATH is retained:
see ap_add_common_vars in util_script.c. And, even then the #1 complaint we
always get with respect to CGI scripts is that the PATH differs from user to
user depending upon who starts it. (This causes chaos when you use sudo, etc.)
> Well, it sucks for a Kerberos-using site using file:// URLs. You can't
> use the user's Kerberos tickets from a hook script because the
> KRB5CCNAME environment variable is lost.
You wouldn't get that behavior with a CGI script either. Take a look at
printenv in the cgi-bin/ dir: it'll dump what is available. -- justin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by Greg Hudson <gh...@MIT.EDU>.
On Wed, 2004-12-22 at 13:57, Justin Erenkrantz wrote:
> > I don't know (John Peacock's speculation of "security" might be right,
> > but I don't have any memories backing that up). It would make sense
> > to use the process environment, IMHO, and I'd be +1 on a fix or,
> > failing that, an issue to record the enhancement.
>
> I don't think so. For an httpd setup, you are better off assuming that the
> environment is empty because you'd be inheriting the process environment of
> the user who started it: and that can easily change.
But doesn't the same argument apply to Subversion itself? And to CGI
scripts which are run by httpd? httpd doesn't empty out the environment
for those, does it?
> I think keeping it with an empty environment leads to the most predictable
> behavior on our parts. Otherwise, things may break depending upon who started
> the server: and that causes all sort of goofy badness. -- justin
Well, it sucks for a Kerberos-using site using file:// URLs. You can't
use the user's Kerberos tickets from a hook script because the
KRB5CCNAME environment variable is lost.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
--On Monday, December 20, 2004 3:32 PM -0600 kfogel@collab.net wrote:
> I don't know (John Peacock's speculation of "security" might be right,
> but I don't have any memories backing that up). It would make sense
> to use the process environment, IMHO, and I'd be +1 on a fix or,
> failing that, an issue to record the enhancement.
I don't think so. For an httpd setup, you are better off assuming that the
environment is empty because you'd be inheriting the process environment of
the user who started it: and that can easily change.
I think keeping it with an empty environment leads to the most predictable
behavior on our parts. Otherwise, things may break depending upon who started
the server: and that causes all sort of goofy badness. -- justin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Hook scripts run with empty environment
Posted by kf...@collab.net.
Greg Hudson <gh...@MIT.EDU> writes:
> We appear to run hook scripts with a totally empty environment,
> instead of inheriting the environment of the svn process. Is there a
> reason for this?
>
> (The mechanics of doing this appear to date back to r1189, where we
> made it possible to run a program with an inherited environment but
> opted not to do so for hook scripts.)
I don't know (John Peacock's speculation of "security" might be right,
but I don't have any memories backing that up). It would make sense
to use the process environment, IMHO, and I'd be +1 on a fix or,
failing that, an issue to record the enhancement.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org