You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Tom Rune Flo <to...@x86.no> on 2005/04/26 04:37:00 UTC
svnserve privilege changing/dropping command line options patch
The following patch will add two command line options to svnserve,
allowing users who run svnserve as a stand alone daemon to drop
privileges to a user specified uid and gid. (-u uid -g gid)
As I'm not very familiar with the subversion codebase and standards,
so my patch may not be the optimal way of doing this. I am, however,
sending this patch to the list in hope that somebody can pick this
up and make a decent feature out of it.
The patch is included below, but can also be found at;
http://forkbomb.org/svn-1.2.0-rc2-svnserve-uid-gid-option.patch
- Tom.
diff -ruN subversion-1.2.0-rc2/subversion/svnserve/main.c subversion-1.2.0-rc2-hack/subversion/svnserve/main.c
--- subversion-1.2.0-rc2/subversion/svnserve/main.c 2005-04-16 21:23:41.000000000 +0100
+++ subversion-1.2.0-rc2-hack/subversion/svnserve/main.c 2005-04-26 05:21:20.000000000 +0100
@@ -119,6 +119,8 @@
{"threads", 'T', 0, N_("use threads instead of fork")},
#endif
{"listen-once", 'X', 0, N_("listen once (useful for debugging)")},
+ {"uid", 'u', 1, N_("drop privileges to uid (daemon mode)")},
+ {"gid", 'g', 1, N_("drop privileges to gid (daemon mode)")},
{0, 0, 0, 0}
};
@@ -286,11 +288,13 @@
}
apr_getopt_init(&os, pool, argc, argv);
-
+
params.root = "/";
params.tunnel = FALSE;
params.tunnel_user = NULL;
params.read_only = FALSE;
+ params.uid = getuid();
+ params.gid = getgid();
while (1)
{
status = apr_getopt_long(os, svnserve__options, &opt, &arg);
@@ -314,6 +318,14 @@
mode_opt_count++;
break;
+ case 'u':
+ params.uid = atoi(arg);
+ break;
+
+ case 'g':
+ params.gid = atoi(arg);
+ break;
+
case SVNSERVE_OPT_FOREGROUND:
foreground = TRUE;
break;
@@ -465,8 +477,26 @@
apr_socket_listen(sock, 7);
#if APR_HAS_FORK
- if (run_mode != run_mode_listen_once && !foreground)
+ if (run_mode != run_mode_listen_once && !foreground) {
+
+ if ((params.gid != getgid()) && setregid(params.gid, params.gid) == -1) {
+ svn_error_clear
+ (svn_cmdline_fprintf
+ (stderr, pool,
+ _("Failed to set GID\n")));
+ exit(1);
+ }
+
+ if ((params.uid != getuid()) && setreuid(params.uid, params.uid) == -1) {
+ svn_error_clear
+ (svn_cmdline_fprintf
+ (stderr, pool,
+ _("Failed to set UID\n")));
+ exit(1);
+ }
+
apr_proc_detach(APR_PROC_DETACH_DAEMONIZE);
+ }
apr_signal(SIGCHLD, sigchld_handler);
#endif
diff -ruN subversion-1.2.0-rc2/subversion/svnserve/server.h subversion-1.2.0-rc2-hack/subversion/svnserve/server.h
--- subversion-1.2.0-rc2/subversion/svnserve/server.h 2004-02-19 19:25:41.000000000 +0000
+++ subversion-1.2.0-rc2-hack/subversion/svnserve/server.h 2005-04-26 05:06:17.000000000 +0100
@@ -45,6 +45,12 @@
/* True if the deprecated read-only flag was specified on the
command-line, which forces all connections to be read-only. */
svn_boolean_t read_only;
+
+ /* Run server as the specified UID and GID. Useful for dropping
+ privileges when started by root. */
+ uid_t uid;
+ gid_t gid;
+
} serve_params_t;
/* Serve the connection CONN according to the parameters PARAMS. */
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve privilege changing/dropping command line options patch
Posted by Greg Stein <gs...@lyra.org>.
One of svnserve's original design considerations was to be very, very
light weight compared to Apache. If you're going to get into all kinds
of fancy shmancy options and additional set uid/gid code and whatnot,
then you've moved away from one of its original design points.
Marcus provides some good options... very helpful to keep svnserve slim.
Cheers,
-g
On Tue, Apr 26, 2005 at 01:40:12PM +0200, Marcus Rueckert wrote:
> On 2005-04-26 08:52:31 +0200, Tom Rune Flo wrote:
> > One reason would be if you want to start svnserve automatically during
> > boot time, as you probably do with most of your other daemonized servers.
> >
> > You could of course write some sort of wrapper for this, but to me it
> > makes a lot more sense for svnserve to be able to set uid/gid by itself.
>
> just some examples:
> # suse
> $ startproc -u svn -g svn -e /usr/bin/svnserve -d -r /srv/svn/repositories
>
> # debian
> $ start-stop-daemon --start --chuid svn --group svn --exec /usr/bin/svnserve -- -d -r /srv/svn/repositories
>
> # general
> sudo -u svn "/usr/bin/svnserve -d -r /srv/svn/repositories"
>
> i think this are enough solutions which all work.
>
> darix
--
Greg Stein, http://www.lyra.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve privilege changing/dropping command line options patch
Posted by Marcus Rueckert <da...@web.de>.
On 2005-04-26 13:40:12 +0200, Marcus Rueckert wrote:
> just some examples:
[other solutions snipped]
i forgot about inetd:
[[[
$ cat /etc/xinetd.d/svn
# svnserve via xinetd.
# please see http://svnbook.red-bean.com/en/1.1/ch06s03.html for
# documentation
# default: off
# service name has to be in /etc/services.
#
# example:
# $ grep "^svn " /etc/services
# svn 3690/tcp # Subversion
# svn 3690/udp # Subversion
#
# some os/distros might put "svnserve" as service name
#
service svn
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = svn
group = svn
server = /usr/bin/svnserve
server_args = -i -r /srv/svn/repositories/
}
]]]
i dont use other inetds. but i am sure they have similar options.
darix
--
irssi - the client of the smart and beautiful people
http://www.irssi.de/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve privilege changing/dropping command line options patch
Posted by Greg Hudson <gh...@MIT.EDU>.
On Tue, 2005-04-26 at 12:40, Tom Rune Flo wrote:
> I really cannot see why svnserve should be different. Yes, one can use
> sudo, daemontools, inetd, all kinds of wrappers -- but should that really
> be necessary for a "daemonized" server? What is the difference between
> svnserve (running with the -d option) and apache, or sshd?
Apache and sshd both bind to privileged ports, so need to be run as root
initially. So they have to have this feature.
I think you can use the standard "su" command to run svnserve as a
particular user.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve privilege changing/dropping command line options patch
Posted by Tom Rune Flo <to...@x86.no>.
On Tue, Apr 26, 2005 at 01:40:12PM +0200, Marcus Rueckert wrote:
> On 2005-04-26 08:52:31 +0200, Tom Rune Flo wrote:
> > One reason would be if you want to start svnserve automatically during
> > boot time, as you probably do with most of your other daemonized servers.
> >
> > You could of course write some sort of wrapper for this, but to me it
> > makes a lot more sense for svnserve to be able to set uid/gid by itself.
>
> just some examples:
> # suse
> $ startproc -u svn -g svn -e /usr/bin/svnserve -d -r /srv/svn/repositories
>
> # debian
> $ start-stop-daemon --start --chuid svn --group svn --exec /usr/bin/svnserve -- -d -r /srv/svn/repositories
>
> # general
> sudo -u svn "/usr/bin/svnserve -d -r /srv/svn/repositories"
>
> i think this are enough solutions which all work.
I'm sure they work, if you run suse, debian or have sudo installed on you
system. I don't, and I probably never will. But that is beside the point.
I'm not interested in a lengthy discussion, and I would guess that neither
are you, but I would like to point this;
My server is currently running quite a number of different services,
every single one of them, except svnserve, is self-supporting enough
to be started at boot time without wrappers or "3rd party" tools.
I really cannot see why svnserve should be different. Yes, one can use
sudo, daemontools, inetd, all kinds of wrappers -- but should that really
be necessary for a "daemonized" server? What is the difference between
svnserve (running with the -d option) and apache, or sshd?
Well, that's it for me on this issue. Thanks for your time.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve privilege changing/dropping command line options patch
Posted by Marcus Rueckert <da...@web.de>.
On 2005-04-26 08:52:31 +0200, Tom Rune Flo wrote:
> One reason would be if you want to start svnserve automatically during
> boot time, as you probably do with most of your other daemonized servers.
>
> You could of course write some sort of wrapper for this, but to me it
> makes a lot more sense for svnserve to be able to set uid/gid by itself.
just some examples:
# suse
$ startproc -u svn -g svn -e /usr/bin/svnserve -d -r /srv/svn/repositories
# debian
$ start-stop-daemon --start --chuid svn --group svn --exec /usr/bin/svnserve -- -d -r /srv/svn/repositories
# general
sudo -u svn "/usr/bin/svnserve -d -r /srv/svn/repositories"
i think this are enough solutions which all work.
darix
--
irssi - the client of the smart and beautiful people
http://www.irssi.de/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve privilege changing/dropping command line options patch
Posted by Tom Rune Flo <to...@x86.no>.
On Tue, Apr 26, 2005 at 02:39:53AM -0400, Greg Hudson wrote:
> On Tue, 2005-04-26 at 00:37, Tom Rune Flo wrote:
> > The following patch will add two command line options to svnserve,
> > allowing users who run svnserve as a stand alone daemon to drop
> > privileges to a user specified uid and gid. (-u uid -g gid)
>
> Why not just run svnserve as the desired uid and gid? It doesn't use a
> privileged port.
One reason would be if you want to start svnserve automatically during
boot time, as you probably do with most of your other daemonized servers.
You could of course write some sort of wrapper for this, but to me it
makes a lot more sense for svnserve to be able to set uid/gid by itself.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve privilege changing/dropping command line options patch
Posted by Greg Hudson <gh...@MIT.EDU>.
On Tue, 2005-04-26 at 00:37, Tom Rune Flo wrote:
> The following patch will add two command line options to svnserve,
> allowing users who run svnserve as a stand alone daemon to drop
> privileges to a user specified uid and gid. (-u uid -g gid)
Why not just run svnserve as the desired uid and gid? It doesn't use a
privileged port.
(Our HACKING file details our coding and patch submission standards, but
that's secondary to whether we want the feature at all.)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve privilege changing/dropping command line options patch
Posted by John Peacock <jp...@rowman.com>.
Tom Rune Flo wrote:
> The following patch will add two command line options to svnserve,
> allowing users who run svnserve as a stand alone daemon to drop
> privileges to a user specified uid and gid. (-u uid -g gid)
Something to remember is that svnserve has two very different uses:
1) a long running service (supporting the svn:// protocol);
2) a once-off session for shared local access (when supporting the svn+ssh://
protocol, which is just a fancy way to use file:// remotely).
Given that, and the profusion of ways to wrap the first mode, it doesn't seem
quite so elegant to enable svnserve to set it's own uid/gid. FWIW, I tend to
run all of my services under daemontools[1], so I wrap svnserve like this
(lightly munged for "security"):
#!/bin/sh
exec 2>&1
setuidgid svn \
svnserve --daemon \
--listen-host=##.##.##.## \
--foreground \
--root /home/svn/repos
As soon as svnserve starts logging something interesting, I can use multilog[2]
to keep an appropriately large/small set of log files for debugging purposes
without filling up my partition.
John
1) http://cr.yp.to/daemontools.html
2) http://cr.yp.to/daemontools/multilog.html
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org