2

I have trac set up together with subversion. I want to allow some people to be able to add tickets, but I don't want them to access the repository. There will be other users who will be able to access the repo via trac. Currently I am using Apache 2 for authentication.

How secure is trac? How difficult is it for someone with limited access to access the source via trac?

I am not asking on how to disallow access to the source via trac. I know how to do that.

The question again is: How hard is it for someone without access to the source to hack in and get at the source?

John Smith
  • 12,491
  • 18
  • 65
  • 111
  • It wasn't me, but probably because this a question about server configuration and not programming. – mikerobi Aug 17 '10 at 13:35
  • In addition to be off-topic, the question is also difficult to answer. You are basically asking how secure is Trac. The only way to know is to see if there are some open security related issues or do a code review (it's open source). Nobody will be able to guarantee that Trac is bug free. – Matteo Nov 30 '12 at 08:12

5 Answers5

4

If Trac itself has access to your repository, and it gets compromised, the attacker has access to your repository by definition. In order to protect your repository from attackers taking over your Trac installation, you need to block Trac itself from accessing your repository; this will however also prevent it from giving access to the repository to anybody as well.

A compromised system still has all access permissions that it had before it was compromised, and whoever compromised it can make it do whatever they wish with its access permissions.

lanzz
  • 42,060
  • 10
  • 89
  • 98
3

Funny thing, you actually can't rely on any answer provided here. I would say the correct approach is to conclude Trac is not that secure (just an assumption) and try to mitigate potential risks.

I assume your goal is to make sure "users" and "developers" can collaborate, but users will not be able to access sources under any circumstances (which is very good, by the way).

There are quite a lot of relevant recipes on the net, but I will provide the simplest one:

  • put your Trac behind Apache (you did that already)
  • use mod-rewrite to make sure "users" will not get access to [your URL]/browser, ...
  • configure Trac permissions as well
  • [paranoid mode], change default URLs in order to eliminate guessing

Basically, the idea is to filter users as early as possible in order not to rely on Trac's internal security.

You can also use OWASP Zed Attack Proxy Project to test Trac yourself:

enter image description here

The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Renat Gilmanov
  • 17,735
  • 5
  • 39
  • 56
2

You can set permissions for every Trac user. For example, you can have user accounts that can only access the ticket system, but not the source browser, timeline or wiki.

In particular, you want to not grant the following permissions:

BROWSER_VIEW     # View directory listings in the repository browser
LOG_VIEW    # View revision logs of files and directories in the repository browser
FILE_VIEW   # View files in the repository browser
CHANGESET_VIEW  #View repository check-ins

I am not sure what you mean by "secure". Trac will enforce the permissions you have set for all its web access. It will not show the source browser pages to someone who does not have the proper permissions. In addition to that, you will have to configure SVN as well to not allow anonymous repository read access (otherwise they could by-pass Trac and access the repository directly).

Thilo
  • 257,207
  • 101
  • 511
  • 656
  • I think you missed my question. It is not how to disallow source code access. It is: even though you have disallowed source code access to that user, how difficult will it be to access it anyway? – John Smith Aug 16 '10 at 01:50
  • 2
    Unless there is a critical security bug in Trac, "Trac will enforce the permissions you have set". So it will not be possible to access the source through Trac. It then boils down to alternative ways to access the repository (svn, hacking the server itself), and to hacking Trac user accounts (guessing passwords, social engineering). – Thilo Aug 16 '10 at 02:03
0

Your question is hard to answer by nature. If you want to know about known security holes, you should check their own, or your distribution's, bug tracker. Debian doesn't report any security related bugs in trac, for example. So to the best of my knowledge, it is impossible to crack trac itself and gain ungranted access.

Of course, that doesn't mean there are no security holes. It only means they haven't been found by good guys (who would have reported them). But it's the best you can get when it comes to security, short of doing (or hiring people to do) a full source audit.

Bas Wijnen
  • 1,288
  • 1
  • 8
  • 17
0

This is possible.

 trac-admin /path/to/project permission remove <user> BROWSER_VIEW
 trac-admin /path/to/project permission remove <user> LOG_VIEW
 trac-admin /path/to/project permission remove <user> FILE_VIEW
 trac-admin /path/to/project permission remove <user> CHANGE_VIEW

This will remove all repository related permissions. We use trac, works well, haven't had any security problems as of yet.

Brandon Frohbieter
  • 17,563
  • 3
  • 40
  • 62