svn 更新包装器上的 setuid 不起作用?
我有一个属于用户“foo”并通过 Apache 访问的 svn 存储库,并且我尝试在也属于 foo 的目录上从提交后挂钩运行 svn update。
我创建了一个由 foo 拥有的 C 包装器,并设置了 suid 位,如 http: //subversion.apache.org/faq.html#website-auto-update ,然后应该由用户 www-data 运行的提交后脚本调用。
尽管如此,当我从用户 www-data (使用空环境)运行包装器时,它实际上以用户 foo 的身份调用 svn update ,但莫名其妙地,我被 svn 提示要求输入用户 www-data 的密码。
名为 svnupdater.c 的包装器代码与官方常见问题解答中建议的相同(当然具有正确的路径)。它是由用户 foo 创建和编译的。设置 suid 位后, /hooks 中的 ls -l 显示:
-rwxr-xr-x 1 www-data foo 74 2011-03-28 12:54 post-commit
-rwsr-sr-x 1 foo foo 7144 2011-03-28 12:16 svnupdater
如果我然后 'su www-data' 并运行 'env - ./svnupdater' (从 sh 或从 bash), ps aux 正确显示:
foo 20260 3.7 0.8 14008 4492 pts/0 S+ 12:18 0:00 svn update /home/foo/foosvn
但仍然我可以看到 svn update 提示我:
Authentication realm: <http://xxxxxx> xxxxx
Password for 'www-data':
当然,当提交后调用它时,整个事情都不会起作用。
我似乎不太明白问题出在哪里,因为这个策略是官方建议的策略,但看起来 svn update 绕过了 setuid 并仍在使用实际用户......
I have an svn repository which belongs to user 'foo' and is accessed through Apache, and I'm trying to run svn update from the post-commit hook, on a directory which is also owned by foo.
I created a C wrapper owned by foo and setted the suid bit, as suggested in http://subversion.apache.org/faq.html#website-auto-update , which should then be called by the post-commit script, run by user www-data.
Still, when I run the wrapper from user www-data (with an empty environment) it actually calls svn update as user foo, but inexplicably I get prompted by svn asking for the password of user www-data.
The code for the wrapper, called svnupdater.c is the same (of course with the correct paths) as suggested in the official faqs. It is created and compiled by user foo. After setting the suid bit, ls -l inside /hooks shows among others:
-rwxr-xr-x 1 www-data foo 74 2011-03-28 12:54 post-commit
-rwsr-sr-x 1 foo foo 7144 2011-03-28 12:16 svnupdater
If I then 'su www-data' and run 'env - ./svnupdater' (either from sh or from bash), ps aux correctly shows:
foo 20260 3.7 0.8 14008 4492 pts/0 S+ 12:18 0:00 svn update /home/foo/foosvn
But still I can see svn update prompting me with:
Authentication realm: <http://xxxxxx> xxxxx
Password for 'www-data':
And of course the whole thing won't work when the post-commit calls it.
I can't really seem to understand where the problem is, since this strategy is the official suggested one, but it looks like svn update is bypassing the setuid and still using the actual user...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
看来我找到了解决办法。
您需要在包装器内添加 --config-dir 参数(因此它看起来像 this),因为看起来 svn 不会从正确的目录中读取身份验证文件。
我认为这应该记录在 Apache 常见问题解答中。
Looks like I found out a solution.
You need to add the --config-dir parameter inside the wrapper (so it looks like this), since it appears svn won't read the auth files from the right directory otherwise.
I think this should be documented in the Apache faqs.