Forum: Ruby on Rails [OT] Is it safe to 'su' to the right user ?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
François B. (Guest)
on 2006-04-13 05:03
(Received via mailing list)
Hi !

I'm using daemontools[1] to manage a few processes on my Debian box.
Among other things, I use it to manage svnserve, because it uses less
memory than Apache.

My /service/svnserve/run looks like this:

#!/bin/sh
su svn -c "/usr/local/bin/svnserve --foreground --daemon --root
/var/svn"

Is it safe for me to run like that ?  If an attacker cracks svnserve,
what will they gain access to ?  Since I su to svn, will the attacker
gain svn's authorizations, or will they be able to gain root access ?

Thanks !
--
François Beausoleil
http://blog.teksol.info/

[1] http://cr.yp.to/daemontools.html
Eric H. (Guest)
on 2006-04-20 02:33
(Received via mailing list)
On Apr 12, 2006, at 6:02 PM, Francois B. wrote:

> var/svn"
>
> Is it safe for me to run like that ?

Only as safe as svnserve is.

> If an attacker cracks svnserve, what will they gain access to ?

Whatever svnserve has access to.

> Since I su to svn, will the attacker gain svn's authorizations, or
> will they be able to gain root access ?

They will gain svn's authorizations.  They will be able to gain root
access if there is a n exploitable local privilege escalation
vulnerability.

--
Eric H. - removed_email_address@domain.invalid - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant

http://trackmap.robotcoop.com
This topic is locked and can not be replied to.