[#617] SCM: impossible to make public repos created as private



Detailed description

Ever since that major security fix, we have the problem that plugins/scmsvn/common/SVNPlugin.class.php has…

                            if ($project->enableAnonSCM()) {
                                    system ("chmod -R g+wX,o+rX-w $repo") ;
                            } else {
                                    system ("chmod -R g+wX,o-rwx $repo") ;

… only in the “create” case, and that later changes only do:

                    if ($project->enableAnonSCM()) {
                            system ("chmod g+wX,o+rX-w $repo") ;
                    } else {
                            system ("chmod g+wX,o-rwx $repo") ;

That is, without the -R.

I move that the chmod inside the 「if (!isdir ($repo) || !isfile ("$repo/format"))」 block be changed to always enable o+rX-w, and only the top-level directory shall be used to switch repos between public and private. We will, of course, need appropriate update code in a postinst to convert already-done repositories.

I noticed this in scmsvn and have not looked at the other scm* plugins for whether they exhibit this problem too.

General Information
Submitted by:
Thorsten Glaser
Date Submitted: 2014-01-09 14:54
Last Modified by: Nobody
Last Modified: 2017-11-02 20:00
Date Closed: 2015-05-22 12:47
Permalink: https://fusionforge.org/tracker/a_follow.php/617
Votes: 0/1 (0%)
Internal Fields
Data Type: Bugs
Assigned to: Nobody (None)
State: Closed
Priority: 4
Extra Fields
Target Release:
Found in Version:
Follow-up tabs
Message  ↓
Date: 2015-05-22 12:47
Sender: Sylvain Beucler

The migration script for 6.0 reset permissions, and 6.0 will only modify the top-level directory. Fixed :)

Date: 2014-02-09 16:04
Sender: Franck Villaume

I unset target release since this bug is not yet fixed.

Date: 2014-01-09 15:14
Sender: Thorsten Glaser

Indeed, but this does not apply any more. Basically, what you wanted for speedup has already been applied because of security.

I wanted to have this tracked so we can all think about how to best fix this without impeding security again. I’ve attached a patch as basis for discussion.

Date: 2014-01-09 15:07
Sender: Julien HEYMAN

Hi, I have submit a similar patch for svn and cvs on 5.1.1 : https://fusionforge.org/tracker/index.php?func=detail&aid=460&group_id=6&atid=107

Size Name Date By Download
892 bytessuggest-patch.txt2014-01-09 15:14
Thorsten Glaser

No related commits.

Field Old Value Date By
ResolutionAccepted As Bug2015-05-22 12:48
Sylvain Beucler
status_idOpen2015-05-22 12:47
Sylvain Beucler
close_dateNone2015-05-22 12:47
Sylvain Beucler
Target ReleaseNone2015-05-22 12:47
Sylvain Beucler
Target Release5.1.32014-02-09 16:04
Franck Villaume
File Added391: suggest-patch.txt2014-01-09 15:14
Thorsten Glaser

No relations found.