SVN Security
Sat, Nov 21, 2009 by JF
Security is always the opposite of access and convenience. A good illustration of this principle is that developers like to use SVN on their server for check outs directly into the web root, and for commits directly to their repository.
That convenience comes at a price: you have probably noticed the hidden .svn folders in your checked out projects. Each one provides full read-write access to your code repository, and you only need one folder to have access to the whole repository. There are various hacks to download them from your website.
If you like that approach, you must prevent access to the .svn folder using for example your root .htaccess file:
RewriteRule ^(.*/)?\.svn/ – [F,L]
ErrorDocument 403 “Access Forbidden”
A better approach is to check-out your code in a folder outside of your web root, and update your root using rsync:
rsync -e ssh -a --delete --exclude=\.svn path-to-svn-checkout path-to-htdocs
If your server does not have the command-line svn, you can update your web root directly from your computer:
rsync -e ssh -a --delete --exclude=\.svn path-to-svn-checkout username@serverurl:path-to-htdocs
And before you actually make the changes, you can view which files are changed with option -v for verbose, and option --dry-run for preview:
rsync -e ssh -a --delete --exclude=\.svn path-to-svn-checkout username@serverurl:path-to-htdocs -v --dry-run
With this approach, you get all of the benefits of SVN while maintaining security!
Finally, don't forget to secure your SVN communications with SSL (by using https://) or with an ssh tunnel (by using svn+ssl://).
Iva posted on April 19, 2010 11:38 am
Another way to clean the .svn folders (easier to remember):
find . | grep \.svn$ | xargs rm -r
admin posted on February 5, 2010 12:15 am
Another probably easier way to remember:
find . | grep \.svn$ | xargs rm -r
bob posted on February 4, 2010 2:22 pm
I have used SVN for almost 1 year. I was in-charge of editing the static portion of the site. There is one situation where our server is hacked. Maybe this is one of the weak part.
niQo posted on November 26, 2009 11:55 am
if you want to get source from SVN without '.svn', svn export is made for that.
you can use :
svn export URL
JF posted on November 24, 2009 1:47 am
Hi Jason:
Exactly, SVN checkout is great if you don't need to update your repository after some hot fixes.
With the trick I am showing here, you can:
1. do a normal checkout
2. work on that copy (which could be a test server behind .htpasswd)
3. sync it to the live server.
4. commit to the repository!
Another way to clean the .svn folders (easier to remember):
find . | grep \.svn$ | xargs rm -r
Michael posted on November 23, 2009 11:45 pm
@JF I never realised that each .svn directory grants full read-write access. Scary. Although I rarely use SVN anymore, it will inevitably make an appearance. You have already contributed to the security of that project. Thanks.
Jason Conkey posted on November 22, 2009 4:50 am
To add to these tips, I would suggest using svn export instead of svn checkout, so that the .svn directories are not outputted.
Also, if you had to remove .svn directories you could use something like this:
cd /your-web-root-for-example/
find . -type d -name '.svn' -exec rm -r {} \;
Johan posted on November 21, 2009 9:11 am
Nice tips! I would just like to point out that if your using Drush they have a built in rsync tool that automagically excludes .svn files. You still have to sync with your repository elsewhere of course.
Post new comment