[prev in list] [next in list] [prev in thread] [next in thread] 

List:       subversion-users
Subject:    Re: ssh+svn vs. bash security bug?
From:       Vincent Lefevre <vincent-svn () vinc17 ! net>
Date:       2014-09-27 21:25:09
Message-ID: 20140927212509.GB24975 () xvii ! vinc17 ! org
[Download RAW message or body]

On 2014-09-27 00:45:19 +0100, Philip Martin wrote:
> Vincent Lefevre <vincent-svn@vinc17.net> writes:
> > How can this be possible? Do you mean that OpenSSH starts the command
> > with bash instead of some exec* function or /bin/sh (which is dash on
> > my machines)?
> 
> OpenSSH uses the login shell for the user, from session.c:
> 
>         /*
>          * Execute the command using the user's shell.  This uses the -c
>          * option to execute the command.
>          */
>         argv[0] = (char *) shell0;
>         argv[1] = "-c";
>         argv[2] = (char *) command;
>         argv[3] = NULL;
>         execve(shell, argv, env);
>         perror(shell);
>         exit(1);
> 
> 
> So an svn+ssh installation can be secured by ensuring that the command
> "svnserve -t" is forced and the corresponding login shell is not bash.

which is the case on my server: the login shell of the svn user is
/bin/sh (which is a symlink to dash).

> Subversion cleans the environment before invoking hooks so any hooks
> invoked by svnserve are safe even if those hooks use bash.

I also use /bin/sh for hooks anyway.

> A patch to add a no-user-shell option to OpenSSH has been suggested:
> 
> http://www.openwall.com/lists/oss-security/2014/09/25/41
> 
> However if there is no shell then OpenSSH either has to parse the
> command itself, which is non-trivial, or there is a restriction that no
> parameters are passed to the executable, or there has to be a way of
> specifying executable and parameters separately.

There could be a restriction that no special characters are used
in the command (which would generally be sufficient for Subversion,
AFAIK), so that splitting on spaces would be sufficient.

> There is a similar driver in Subversion: a shell is used when invoking
> the arbitrary, used-defined, --editor-cmd/SVN_EDITOR string so that
> Subversion does not have to parse it.  This is different from hooks
> where a direct exec is used.

It there were an option to do an exec, you would be OK for me,
because I've set SVN_EDITOR to a full pathname (to a Perl script
that is a wrapper to the editor).

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
[prev in list] [next in list] [prev in thread] [next in thread]