CODEWITHSUNDEEP
linuxubuntusvnversion-controlpermissions
pyramidface
pyramidface

Reputation: 1277

Subversion sudo svn update changes file ownership and rwx

I'm limiting permissions on a certain file, settings.py in my svn-linked directory so that it can only be read by sudo users and apache, which goes by the username, www-data. So, on settings.py, I've set sudo chmod 640 settings.py and sudo chown www-data:www-data settings.py. I still want my unprivileged users to be able to svn update and svn commit, so with sudo visudo, I've set 

unprivileged_user ALL = /usr/bin/svn commit *, /usr/bin/svn update *, \
                        /usr/bin/svn update

so that this user can still do sudo svn commit and sudo svn update. It won't be able to do plain svn commit or svn update because of the limited permissions on settings.py. If the unprivileged user tries to do that, there will be a message from svn that says the working copy is locked. I've noticed however that when I do sudo svn update, the unprivileged_user is updating as root and as a result the file that are updated from the svn repository are now owned by root:root with 644 privileges. This goes against what I'm trying to with making settings.py owned by www-data:www-data. What can I do to make it so that www-data is always the owner and the rwx prvileges remain the same?

Upvotes: 2

Views: 1479

Answers (3)

pyramidface
pyramidface

Reputation: 1277

Here's what I have right now. I'm using a post svn update hook, and I don't know how secure it is. This is for svn update only. Please feel free to state your opinions on this.

In usr/local/bin, I create ssh-action.sh based off of this: http://top-frog.com/2009/04/23/client-side-pre-and-post-svn-hooks-with-unix-aliases/

My actual ssh-action.sh looks like this:

#!/bin/bash
REAL_SVN='/usr/bin/svn';
BASE_PATH='/home/unprivileged_user/test_svn/';

$REAL_SVN $@;
wait;

# post-svn actions
if [ $1 = 'up' ] || [ $1 = 'update' ]; then
    find -L $BASE_PATH -type f -name 'settings.py' -exec bash -c 'sudo chmod 0400 $0 && sudo chown www-data $0; sudo chgrp www-data $0' '{}' \;
fi

Then in sudo visudo, I add this to the bottom:

unprivileged_user ALL = NOPASSWD: /bin/chown www-data */test_svn/settings.py, /bin/chmod 0400 */test_svn/settings.py, /bin/chgrp www-data */test_svn/settings.py

Next, cd /home/unprivileged_user, open .bashrc , and add this to the bottom:

alias svn = /usr/local/bin/ssh-action.sh

Afterward, I need to make .bashrc immutable so that the unprivileged can't edit it to bypass my svn hook. I do this with sudo chattr +i .bashrc

With this hopefully whenever the unprivileged_user tries to svn update the test_svn working copy, settings.py will be owned by www-data:www-data with 400 permissions. What do you guys think? Are there any security flaws here? Thanks.

Upvotes: 0

Ali Nikneshan
Ali Nikneshan

Reputation: 3502

Use an script instead which do the update and reset the permission.

svnupdate.sh:

#!/bin/bash
MY_PROJ_PATH=/home/.... # Put you path here
pushd $MY_PROJ_PATH
svn update $* && chown -R www-data. . && chmod 640 settings.py
popd

also make sure chmod 750 /usr/local/bin/svnupdate.sh to prevent security issue on sudo command and also update the sudoeres files:

unprivileged_user ALL = /usr/bin/svn commit *, /usr/local/bin/svnupdate.sh

Upvotes: 1

CleverLikeAnOx
CleverLikeAnOx

Reputation: 1496

The www-data user will have a different UID on each system it is on, making it effectively a new user on each system. You cannot predict which user this will be so you cannot set the owner appropriately. Whoever checks it out will be the owner.

Furthermore, svn does not track permissions. It only tracks whether or not a file is executable. The permissions that the file comes with are determined by your umask.

Upvotes: 1

Related Questions