Security is always the opposite of access and convenience. A good illustration of this principle is that developers like to use SVN on their server for check outs directly into the web root, and for commits directly to their repository.
That convenience comes at a price: you have probably noticed the hidden .svn folders in your checked out projects. Each one provides full read-write access to your code repository, and you only need one folder to have access to the whole repository. There are various hacks to download them from your website.
If you like that approach, you must prevent access to the .svn folder using for example your root .htaccess file:
RewriteRule ^(.*/)?\.svn/ – [F,L]
ErrorDocument 403 “Access Forbidden”
A better approach is to check-out your code in a folder outside of your web root, and update your root using rsync:
rsync -e ssh -a --delete --exclude=\.svn path-to-svn-checkout path-to-htdocs
If your server does not have the command-line svn, you can update your web root directly from your computer:
rsync -e ssh -a --delete --exclude=\.svn path-to-svn-checkout username@serverurl:path-to-htdocs
And before you actually make the changes, you can view which files are changed with option -v for verbose, and option --dry-run for preview:
rsync -e ssh -a --delete --exclude=\.svn path-to-svn-checkout username@serverurl:path-to-htdocs -v --dry-run
With this approach, you get all of the benefits of SVN while maintaining security!
Finally, don't forget to secure your SVN communications with SSL (by using https://) or with an ssh tunnel (by using svn+ssl://).
Comments
Nice tips! I would just like to point out that if your using Drush they have a built in rsync tool that automagically excludes .svn files. You still have to sync with your repository elsewhere of course.
@JF I never realised that each .svn directory grants full read-write access. Scary. Although I rarely use SVN anymore, it will inevitably make an appearance. You have already contributed to the security of that project. Thanks.
Hi Jason:
Exactly, SVN checkout is great if you don't need to update your repository after some hot fixes.
With the trick I am showing here, you can:
1. do a normal checkout
2. work on that copy (which could be a test server behind .htpasswd)
3. sync it to the live server.
4. commit to the repository!
Another way to clean the .svn folders (easier to remember):
find . | grep \.svn$ | xargs rm -r
To add to these tips, I would suggest using svn export instead of svn checkout, so that the .svn directories are not outputted.
Also, if you had to remove .svn directories you could use something like this:
cd /your-web-root-for-example/
find . -type d -name '.svn' -exec rm -r {} \;
if you want to get source from SVN without '.svn', svn export is made for that.
you can use :
svn export URL
Another probably easier way to remember:
find . | grep \.svn$ | xargs rm -r
I have used SVN for almost 1 year. I was in-charge of editing the static portion of the site. There is one situation where our server is hacked. Maybe this is one of the weak part.
Another way to clean the .svn folders (easier to remember):
find . | grep \.svn$ | xargs rm -r
i am actually quite surprised here.I have used SVN before but never did i know that it provides full read-write access to the code repository.never did any of my colleagues mentioned that too.glad i read this post.
And these would be helpful in a general sense for any web related projects: http://www.kavoir.com/2010/03/php-security-checklist-for-websites-and-we...
I have used SVN before but never did i know that it provides full read-write access to the code repository.never did any of my colleagues mentioned that too.
Thanks for your post. I am going to start using ErrorDocument 403 “Access Forbidden” more in my htaccess files.
Important tips here but remember to remove the authentication cache for your SVN username/pass files and to replace passwords in cases of previous incursion.
Interesting code will this work on most servers. I work with Windows servers and they always seem to be restrictive with what type of coding you can use.
Very good explanation, you really are an expert in this field
Interesting, I hadn’t thought of using htaccess for this. I’ve used an alternate method for achieving the same thing, which has served me well in the past.
“^.svn” will only match directly underneath DocumentRoot. Here is my take at it: “(^|/)\.svn(/|$)”. I.e. this matches any of
.svn
.svn/something
something/.svn
something/.svn/something
Post new comment