svnserve privilege changing/dropping command line options patch

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

svnserve privilege changing/dropping command line options patch

Tom Rune Flo
The following patch will add two command line options to svnserve,
allowing users who run svnserve as a stand alone daemon to drop
privileges to a user specified uid and gid. (-u uid  -g gid)

As I'm not very familiar with the subversion codebase and standards,
so my patch may not be the optimal way of doing this.  I am, however,
sending this patch to the list in hope that somebody can pick this
up and make a decent feature out of it.

The patch is included below, but can also be found at;
  http://forkbomb.org/svn-1.2.0-rc2-svnserve-uid-gid-option.patch


- Tom.




diff -ruN subversion-1.2.0-rc2/subversion/svnserve/main.c subversion-1.2.0-rc2-hack/subversion/svnserve/main.c
--- subversion-1.2.0-rc2/subversion/svnserve/main.c 2005-04-16 21:23:41.000000000 +0100
+++ subversion-1.2.0-rc2-hack/subversion/svnserve/main.c 2005-04-26 05:21:20.000000000 +0100
@@ -119,6 +119,8 @@
     {"threads",          'T', 0, N_("use threads instead of fork")},
 #endif
     {"listen-once",      'X', 0, N_("listen once (useful for debugging)")},
+    {"uid",              'u', 1, N_("drop privileges to uid (daemon mode)")},
+    {"gid",              'g', 1, N_("drop privileges to gid (daemon mode)")},
     {0,                  0,   0, 0}
   };
 
@@ -286,11 +288,13 @@
     }
 
   apr_getopt_init(&os, pool, argc, argv);
-
+
   params.root = "/";
   params.tunnel = FALSE;
   params.tunnel_user = NULL;
   params.read_only = FALSE;
+  params.uid = getuid();
+  params.gid = getgid();
   while (1)
     {
       status = apr_getopt_long(os, svnserve__options, &opt, &arg);
@@ -314,6 +318,14 @@
           mode_opt_count++;
           break;
 
+        case 'u':
+          params.uid = atoi(arg);
+          break;
+
+        case 'g':
+          params.gid = atoi(arg);
+          break;
+
         case SVNSERVE_OPT_FOREGROUND:
           foreground = TRUE;
           break;
@@ -465,8 +477,26 @@
   apr_socket_listen(sock, 7);
 
 #if APR_HAS_FORK
-  if (run_mode != run_mode_listen_once && !foreground)
+  if (run_mode != run_mode_listen_once && !foreground) {
+
+    if ((params.gid != getgid()) && setregid(params.gid, params.gid) == -1) {
+      svn_error_clear  
+        (svn_cmdline_fprintf
+           (stderr, pool,
+            _("Failed to set GID\n")));
+      exit(1);
+    }
+
+    if ((params.uid != getuid()) && setreuid(params.uid, params.uid) == -1) {
+      svn_error_clear  
+        (svn_cmdline_fprintf
+           (stderr, pool,
+            _("Failed to set UID\n")));
+      exit(1);
+    }
+
     apr_proc_detach(APR_PROC_DETACH_DAEMONIZE);
+  }
 
   apr_signal(SIGCHLD, sigchld_handler);
 #endif
diff -ruN subversion-1.2.0-rc2/subversion/svnserve/server.h subversion-1.2.0-rc2-hack/subversion/svnserve/server.h
--- subversion-1.2.0-rc2/subversion/svnserve/server.h 2004-02-19 19:25:41.000000000 +0000
+++ subversion-1.2.0-rc2-hack/subversion/svnserve/server.h 2005-04-26 05:06:17.000000000 +0100
@@ -45,6 +45,12 @@
   /* True if the deprecated read-only flag was specified on the
      command-line, which forces all connections to be read-only. */
   svn_boolean_t read_only;
+
+  /* Run server as the specified UID and GID. Useful for dropping
+     privileges when started by root. */
+  uid_t uid;
+  gid_t gid;
+
 } serve_params_t;
 
 /* Serve the connection CONN according to the parameters PARAMS. */

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: svnserve privilege changing/dropping command line options patch

Greg Hudson
On Tue, 2005-04-26 at 00:37, Tom Rune Flo wrote:
> The following patch will add two command line options to svnserve,
> allowing users who run svnserve as a stand alone daemon to drop
> privileges to a user specified uid and gid. (-u uid  -g gid)

Why not just run svnserve as the desired uid and gid?  It doesn't use a
privileged port.

(Our HACKING file details our coding and patch submission standards, but
that's secondary to whether we want the feature at all.)


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: svnserve privilege changing/dropping command line options patch

Tom Rune Flo
On Tue, Apr 26, 2005 at 02:39:53AM -0400, Greg Hudson wrote:
> On Tue, 2005-04-26 at 00:37, Tom Rune Flo wrote:
> > The following patch will add two command line options to svnserve,
> > allowing users who run svnserve as a stand alone daemon to drop
> > privileges to a user specified uid and gid. (-u uid  -g gid)
>
> Why not just run svnserve as the desired uid and gid?  It doesn't use a
> privileged port.

One reason would be if you want to start svnserve automatically during
boot time, as you probably do with most of your other daemonized servers.

You could of course write some sort of wrapper for this, but to me it
makes a lot more sense for svnserve to be able to set uid/gid by itself.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: svnserve privilege changing/dropping command line options patch

Marcus Rueckert
On 2005-04-26 08:52:31 +0200, Tom Rune Flo wrote:
> One reason would be if you want to start svnserve automatically during
> boot time, as you probably do with most of your other daemonized servers.
>
> You could of course write some sort of wrapper for this, but to me it
> makes a lot more sense for svnserve to be able to set uid/gid by itself.

just some examples:
# suse
$ startproc -u svn -g svn -e /usr/bin/svnserve -d -r /srv/svn/repositories

# debian
$ start-stop-daemon --start --chuid svn --group svn --exec /usr/bin/svnserve -- -d -r /srv/svn/repositories

# general
sudo -u svn "/usr/bin/svnserve -d -r /srv/svn/repositories"

i think this are enough solutions which all work.

darix

--
irssi - the client of the smart and beautiful people

              http://www.irssi.de/


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: svnserve privilege changing/dropping command line options patch

gstein
One of svnserve's original design considerations was to be very, very
light weight compared to Apache. If you're going to get into all kinds
of fancy shmancy options and additional set uid/gid code and whatnot,
then you've moved away from one of its original design points.

Marcus provides some good options... very helpful to keep svnserve slim.

Cheers,
-g

On Tue, Apr 26, 2005 at 01:40:12PM +0200, Marcus Rueckert wrote:

> On 2005-04-26 08:52:31 +0200, Tom Rune Flo wrote:
> > One reason would be if you want to start svnserve automatically during
> > boot time, as you probably do with most of your other daemonized servers.
> >
> > You could of course write some sort of wrapper for this, but to me it
> > makes a lot more sense for svnserve to be able to set uid/gid by itself.
>
> just some examples:
> # suse
> $ startproc -u svn -g svn -e /usr/bin/svnserve -d -r /srv/svn/repositories
>
> # debian
> $ start-stop-daemon --start --chuid svn --group svn --exec /usr/bin/svnserve -- -d -r /srv/svn/repositories
>
> # general
> sudo -u svn "/usr/bin/svnserve -d -r /srv/svn/repositories"
>
> i think this are enough solutions which all work.
>
> darix

--
Greg Stein, http://www.lyra.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: svnserve privilege changing/dropping command line options patch

John Peacock
In reply to this post by Tom Rune Flo
Tom Rune Flo wrote:
> The following patch will add two command line options to svnserve,
> allowing users who run svnserve as a stand alone daemon to drop
> privileges to a user specified uid and gid. (-u uid  -g gid)

Something to remember is that svnserve has two very different uses:

1) a long running service (supporting the svn:// protocol);
2) a once-off session for shared local access (when supporting the svn+ssh://
protocol, which is just a fancy way to use file:// remotely).

Given that, and the profusion of ways to wrap the first mode, it doesn't seem
quite so elegant to enable svnserve to set it's own uid/gid.  FWIW, I tend to
run all of my services under daemontools[1], so I wrap svnserve like this
(lightly munged for "security"):

#!/bin/sh
exec 2>&1
setuidgid svn \
svnserve --daemon \
    --listen-host=##.##.##.## \
    --foreground \
    --root /home/svn/repos

As soon as svnserve starts logging something interesting, I can use multilog[2]
to keep an appropriately large/small set of log files for debugging purposes
without filling up my partition.

John

1) http://cr.yp.to/daemontools.html
2) http://cr.yp.to/daemontools/multilog.html

--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: svnserve privilege changing/dropping command line options patch

Marcus Rueckert
In reply to this post by Marcus Rueckert
On 2005-04-26 13:40:12 +0200, Marcus Rueckert wrote:
> just some examples:
[other solutions snipped]

i forgot about inetd:

[[[
$ cat /etc/xinetd.d/svn
# svnserve via xinetd.
# please see http://svnbook.red-bean.com/en/1.1/ch06s03.html for
# documentation
# default: off
# service name has to be in /etc/services.
#
# example:
# $ grep "^svn " /etc/services
# svn             3690/tcp   # Subversion
# svn             3690/udp   # Subversion
#
# some os/distros might put "svnserve" as service name
#
service svn
{
    disable         = no
    socket_type     = stream
    protocol        = tcp
    wait            = no
    user            = svn
    group           = svn  
    server          = /usr/bin/svnserve
    server_args     = -i -r /srv/svn/repositories/
}
]]]

i dont use other inetds. but i am sure they have similar options.

darix

--
irssi - the client of the smart and beautiful people

              http://www.irssi.de/


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: svnserve privilege changing/dropping command line options patch

Tom Rune Flo
In reply to this post by Marcus Rueckert
On Tue, Apr 26, 2005 at 01:40:12PM +0200, Marcus Rueckert wrote:

> On 2005-04-26 08:52:31 +0200, Tom Rune Flo wrote:
> > One reason would be if you want to start svnserve automatically during
> > boot time, as you probably do with most of your other daemonized servers.
> >
> > You could of course write some sort of wrapper for this, but to me it
> > makes a lot more sense for svnserve to be able to set uid/gid by itself.
>
> just some examples:
> # suse
> $ startproc -u svn -g svn -e /usr/bin/svnserve -d -r /srv/svn/repositories
>
> # debian
> $ start-stop-daemon --start --chuid svn --group svn --exec /usr/bin/svnserve -- -d -r /srv/svn/repositories
>
> # general
> sudo -u svn "/usr/bin/svnserve -d -r /srv/svn/repositories"
>
> i think this are enough solutions which all work.

I'm sure they work, if you run suse, debian or have sudo installed on you
system.  I don't, and I probably never will.  But that is beside the point.
I'm not interested in a lengthy discussion, and I would guess that neither
are you, but I would like to point this;

My server is currently running quite a number of different services,
every single one of them, except svnserve, is self-supporting enough
to be started at boot time without wrappers or "3rd party" tools.

I really cannot see why svnserve should be different.  Yes, one can use
sudo, daemontools, inetd, all kinds of wrappers -- but should that really
be necessary for a "daemonized" server?  What is the difference between
svnserve (running with the -d option) and apache, or sshd?

Well, that's it for me on this issue.  Thanks for your time.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: svnserve privilege changing/dropping command line options patch

Greg Hudson
On Tue, 2005-04-26 at 12:40, Tom Rune Flo wrote:
> I really cannot see why svnserve should be different.  Yes, one can use
> sudo, daemontools, inetd, all kinds of wrappers -- but should that really
> be necessary for a "daemonized" server?  What is the difference between
> svnserve (running with the -d option) and apache, or sshd?

Apache and sshd both bind to privileged ports, so need to be run as root
initially.  So they have to have this feature.

I think you can use the standard "su" command to run svnserve as a
particular user.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]