Does the SUID / SGID bit set the SVN binary to a security risk?

Question

Does the SUID / SGID bit set the SVN binary to a security risk?

I would like to use the SVN repository callback function (Unfuddle) to send the url on my server whenever a commit is made. I have a PHP script that accepts a message and tries to invoke a shell script to execute 'svn update'.

The problem I am facing is that Apache runs under user "www-data" and does not have access to the local repository: ".svn / lock" is allowed. I read all about configuring SUID / SGID on shell scripts and how most * NIX OSs just don't support it due to its security risks.

However, I can set the SUID / SGID bit in the SVN binary located in / usr / bin / svn. This fixes the problem by allowing any user to issue SVN commands in any repository; not the most ideal ...

My question is what is the most logical / robust / safe way to implement this type of setup, and if I left the bits set in the svn binary, would this open a serious security risk that I don’t understand?

Sorry for the long post; this is my first question, and I wanted to be solid.

thank

+3

security svn permissions

coderich Oct 26 '10 at 5:50

source share

3 answers

CodeRich, cron tue ( , ).

svn SUID/SGID , svn ( , passwd shadow, /etc ). - suid ( SUID , root), chdir svn . ikiwiki, , cgi.

, www-data .

0

Rudi 26 . '10 9:39

, Apache . , , . :)

, , Apache ( ) , . , , - php script , .

php script cgi fastcgi. , www-, , , , , .

phpSuexec, .

0

gbjbaanb 26 . '10 9:49

dietbuddha · Accepted Answer · 2010-10-26T06:14:46+0000

There are two types of solutions for this kind of problem, survey, or event.

cronjob, , N . , , , . , cron .

, , - , . , . , , www- svn. SGID svn. - /.

, . ssh ( ) ssh . .

sudo -u [user] [command]. /etc/sudoers, www- / , .

SUID/SGID.

Does the SUID / SGID bit set the SVN binary to a security risk?

More articles: