Jon Foster wrote: > Hi, > > I have a repository that is partially mirrored, using svnsync and > mod_authz_svn [1]. I just realised that the administrator of the > mirror server can bypass the authz rules I've set up on the master > server. All he has to do is change the svn:sync-from-url property > on the mirror repository to be a file:// URL to the source > repository, rather than a http:// one. The correct file:// URL is > probably guessable.
Yes, you are correct. If the admin of the mirror server changes the sync-from URL to a properly guessed file:// URL, then svnsync, when run on the master server, will read that URL from the mirror and use it for its sync work, bypassing authz. > Attack #2 (other repositories): > > More generally, the administrator of the mirror repository can use > this attack to get a full mirror of ANY repository that svnsync can > access, if they know both the repository URL and UUID. In practise, > the requirement to know the UUID is likely to frustrate most attacks > that are directed against other repositories. (It does not provide > any protection whatsoever against the basic "bypass authz" attack > described earlier in this mail, because the mirror repository's > "svn:sync-from-uuid" property already contains the correct UUID). > But the repository UUID was never intended to be a security-critical > secret - it's included in plaintext in every SVN checkout, and > changing it requires everyone to fix up their working copies. So, you're saying that svnsync, running on the master server via repos1's hooks, would contact what it thinks is a mirror of repos1 on the mirror server, read the sync URL (which actually points to file://.../repos2), and start syncing repos2's data across the wire. Right. Um... Ewww. > Possible workarounds: > > - Don't run svnsync on the same system as the master repository, > run it on the mirror server instead. This has high practical costs, though. > - Run svnsync as a different user that doesn't have access to any > repository files. This is a better workaround. > Suggested fix: > > Please can we change "svnsync sync" to allow both the source and > target URLs to be specified? That rather simple measure would block > this attack. Since svnsync is usually invoked from a script, typing > the extra URL isn't a problem. > > (If only one URL is specified, then svnsync should probably behave > as it does today, for backward-compatibility. And we should > document that svnsync trusts the mirror server if you only provide > one URL). This is a very sensible suggestion. -- C. Michael Pilato <cmpil...@collab.net> CollabNet <> www.collab.net <> Distributed Development On Demand
signature.asc
Description: OpenPGP digital signature
