On 07.09.2007, at 11:01, Joachim Breitner wrote:
Hi,
Am Freitag, den 07.09.2007, 10:59 +0200 schrieb Florian Weimer:
* Joachim Breitner:
I think mounting the file system no-exec covers that. IIRC,
Subversion directly executes the hook scripts, and this will
fail in
that case.
Then this
* Joachim Breitner:
>> I think mounting the file system no-exec covers that. IIRC,
>> Subversion directly executes the hook scripts, and this will fail in
>> that case.
>
> Then this should be mentioned in the file. I also think that this is
> quite a high hurdle: Admins that want that can surely
Hi,
Am Freitag, den 07.09.2007, 10:59 +0200 schrieb Florian Weimer:
> * Joachim Breitner:
> >> I think mounting the file system no-exec covers that. IIRC,
> >> Subversion directly executes the hook scripts, and this will fail in
> >> that case.
> >
> > Then this should be mentioned in the file. I
Am Freitag, den 07.09.2007, 10:49 +0200 schrieb Florian Weimer:
> * Joachim Breitner:
>
> >> These files have specific filenames at specific locations relative to
> >> the svn repository root.
> >
> > But since I can put a repository _anywhere_ by just copying it there,
> > how do you want the adm
* Joachim Breitner:
>> These files have specific filenames at specific locations relative to
>> the svn repository root.
>
> But since I can put a repository _anywhere_ by just copying it there,
> how do you want the admin to prevent the user running it’s hook
> commands?
I think mounting the fil
Hi,
Am Freitag, den 07.09.2007, 00:45 -0700 schrieb Kaleb Pederson:
> Thanks Florian,
>
> The following are now disabled for svn:
>
> "editor-cmd",
> "diff-cmd",
> "diff3-cmd", (just added)
> "config-dir",
But that does not prevent commiting to a repository with hooks, right?
You write in the s
Thanks Florian,
The following are now disabled for svn:
"editor-cmd",
"diff-cmd",
"diff3-cmd", (just added)
"config-dir",
The following are disabled for svnserve:
"daemon",
"listen-port",
"listen-host",
"foreground",
"inetd",
"threads",
"listen-once",
The following for rsync:
"rsh",
"daemon",
>> Furthermore, in light of comments on the debian list, I just
>> disallowed --editor-cmd, --diff-cmd, and --config-dir... but that still
>> doesn't help with the editor cmd and diff cmd being specified in config
>> files.
--diff3-cmd is problematic, too. For rsync, you need to disable
daemon
Hi Kaleb,
just replying to get the mail into the Debian BTS. Please keep
[EMAIL PROTECTED] in the CC about this topic.
I’m not testing these now, but maybe the scponly package maintainer
will.
Greetings,
Joachim
Am Dienstag, den 04.09.2007, 13:38 -0700 schrieb Kaleb Pederson:
> Hello,
>
> If y
Hi,
Am Dienstag, den 04.09.2007, 13:10 -0700 schrieb Kaleb Pederson:
> Yes, you are exactly right. This was discovered a while ago and documented
> in
> our SECURITY document currently only in CVS. You can see it here:
>
> http://scponly.cvs.sourceforge.net/scponly/scponly/SECURITY?revision=1
10 matches
Mail list logo
