Running svnsync on a repository with group suid/sgid set fails to execute a hook

Question

I have a Linux server that I am attempting to run svnsync against a list of repositories to mirror / back up.

I created a folder /srv/backups and set it to have the group gsid of adm, using chmod g+s so that any item or folder created in this directory preserves the adm group ownership.

failure

I then:

create a repository svnadmin create blah under /srv/backups,
copy the pre-revprop-change hook script into blah/hooks/
ensure the hook is executable chmod +ax blah/hooks/pre-revprop-change
try running svnsync init against blah and the remote repository. It fails whether running as myself or root with a 255 error message from the pre-revprop-change script.

svnsync: E165001: Revprop change blocked by pre-revprop-change hook (exit code 255) with no output.

successes

If I repeat the same steps above, copying the same pre-revprop-change hook to the target mirror, however:

running as myself against a folder under my home directory,
or running as root against /srv/svnmirrors where root:adm has ownership but the gsid is not set,

Then it executes properly, allowing me to initialize and later sync.

hypothesis

So, I'm pretty sure it's an issue with the gsid and then svnsync does not have permissions to run the hook.

My understanding is setting the gsid tells programs acting against this directory to run with those credentials; so adding a folder is done as myself:adm, and I would expect that running the svnsync would run as myself:adm or root:adm, and should have sufficient privileges.

permissions

Here are the main folders under /srv, where backups fails and svnmirrors succeeds:

drwxrwsr-x 11 root adm 4096 Sep 16 17:09 backups
drwxrwxr-x 2 root adm 4096 Sep 16 17:24 svnmirrors

And here are the hooks in both locations:

the hook that fails to execute; tried as both root and myuser:

-rwxr-xr-x 1 myuser adm 2794 Sep 16 16:54 backups/blah/hooks/pre-revprop-change
- OR -
-rwxr-xr-x 1 root adm 2794 Sep 16 16:54 backups/blah/hooks/pre-revprop-change

the succeeding one

-rwxr-xr-x 1 myuser myuser 2794 Sep 16 16:45 svnmirrors/blah/hooks/pre-revprop-change

Thoughts:

Is it that svnsync is not running under the group adm?
If so, is it possible to add svnsync to adm?
Or do I need to set a different group on the folder and ensure I'm in that group?
By setting the gsid, am I exposing vulnerabilities on the server? Referencing this chapter on security.

score 1 · Accepted Answer · answered Sep 18 '13 at 15:55

Solved - mount partition without `noexec` option

Make sure you've mounted the directory without the noexec option!

I don't know what made me look in /etc/fstab (or why I didn't think of that sooner) but /srv/backups is a separate partition and I had declared it with the noexec option.

This prevented the hook from running; removing that and remounting it, everything works fine.

But, I'm going to drop the gsid off of the folder, change the partition to nosuid, and allow execution.

score 0 · Answer 2 · answered Sep 17 '13 at 17:21

If you haven't, you'll also need to modify the pre-revprop-change hook in addition to copying it into place -- it blocks revprop changes (to all properties other than svn:log) by default. You'll need to add something like:

if [ "$USER" = "svnsync" ]; then exit 0; fi

See here for more info.

score 0 · Answer 3 · answered Sep 17 '13 at 19:33

0

Might I suggest using the svnbackup.pl and svnrestore.pl scripts from Chris Knight to backup your Repo? We use it and it works fine.

answered Sep 17 '13 at 19:33