You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Tom Hosiawa <to...@rogers.com> on 2004/04/08 13:16:17 UTC

webdav configuration setup

Hi, I'm setting up my subversion server to use WebDAV, and I'm just
wondering what people thought of it? Did I missing anything (security
wise)?

All the repositories are in '/srv/svn'.

I created a user svn and group svn, with the svn user's home='srv/svn'
and shell='/bin/false'

I have the following in httpd.conf:
====================================================
<Location /svn>
	DAV svn
	SVNParentPath /srv/svn
	SVNIndexXSLT "/svnindex.xsl"
	
	# user authentication
	AuthType Basic
	AuthName "Subversion repository"
	AuthUserFile /srv/svn/conf/svn_users
	
	# allow anonymous read access
	Satisfy Any
	Require valid-user
	
	# access control policy
	AuthzSVNAccessFile /srv/svn/conf/svn_policy
</Location>
===================================================

and svn_policy:
===================================================
[groups]
pbAnalyzer-dev = svn

[pbAnalyzer:/svn/pbAnalyzer]
@pbAnalyzer-dev = rw

[/]
* = r
===================================================

I've set the permission's on /srv/svn to 'drwsrws', with user and group
owner set to svn.

Now, I just have to make apache process switch use to the svn user when
accessing the repository. But its already using the its own apache user,
group, so is it possible for it to switch to the svn user? Or should I
make group owner of '/srv/svn' apache?

This setup should allow anonymous reads, but require authentication for
commits using user in svn_users.

Tom


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: webdav configuration setup

Posted by Tom Hosiawa <to...@rogers.com>.

> > The sgid seems work, but the owner's isn't? Is my understanding of suid
> > wrong, but should the owner be set apache?
> 
> AFAIK, The suid bit on a directory has no effect.
> 
> Max.
 
Does this mean, I have to use ACL?

Tom


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: webdav configuration setup

Posted by Max Bowsher <ma...@ukf.net>.

Tom Hosiawa wrote:
> Well then, if it's easier, just make the all your repositories wholly
>> owned by whatever user apache is already running as.
>> 
>> The real goal here is to avoid multiple users from accessing the
>> repositories.  It can get very complex when that happens.  The last
>> section in chapter 6 discusses this.
> 
> I think I like this the best.
> 
> Now I'm testing suid, but the owner doesn't seem to stay when I create a
> new file.
> 
> I have:
> "drwsrws---    4 apache   svn          4096 Apr  8 14:09 svn"
> 
> when I do:
> # cd svn
> # touch a.txt
> # ls -l a.txt
> -rw-------    1 root     svn             0 Apr  8 14:09 a.txt
> 
> The sgid seems work, but the owner's isn't? Is my understanding of suid
> wrong, but should the owner be set apache?

AFAIK, The suid bit on a directory has no effect.

Max.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: webdav configuration setup

Posted by Tom Hosiawa <to...@rogers.com>.

Well then, if it's easier, just make the all your repositories wholly
> owned by whatever user apache is already running as.
> 
> The real goal here is to avoid multiple users from accessing the
> repositories.  It can get very complex when that happens.  The last
> section in chapter 6 discusses this.

I think I like this the best. 

Now I'm testing suid, but the owner doesn't seem to stay when I create a
new file.

I have:
"drwsrws---    4 apache   svn          4096 Apr  8 14:09 svn"

when I do:
# cd svn
# touch a.txt
# ls -l a.txt
-rw-------    1 root     svn             0 Apr  8 14:09 a.txt

The sgid seems work, but the owner's isn't? Is my understanding of suid
wrong, but should the owner be set apache?

Tom


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: webdav configuration setup

Posted by Ben Collins-Sussman <su...@collab.net>.

On Thu, 2004-04-08 at 08:47, Tom Hosiawa wrote:

> > Your life will be simpler if you make apache run as the 'svn' user.
> 
> Wouldn't this affect using apache for anything else other than
> subversion? Either way I see it, I'd have to use mixed permission
> between the subversion repository contents and web server contents
> (whether its apache or svn?

Well then, if it's easier, just make the all your repositories wholly
owned by whatever user apache is already running as.

The real goal here is to avoid multiple users from accessing the
repositories.  It can get very complex when that happens.  The last
section in chapter 6 discusses this.

> 
> I guess a third option, is to run a seperate apache process on another
> port?

That's fine too.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: webdav configuration setup

Posted by Tom Hosiawa <to...@rogers.com>.

Make sure your server is running 1.0.1 if you plan to use "Satisfy Any"
> and "Require valid-user" together.
I am.

> You should be talking about paths *within* the pbAnalyzer repository. 
> In other words, the /svn/pbAnalyzer is the location of the repository
> itself.  Within the policy file, you should be talking about "imaginary"
> paths within particular repositories.  For example, if you want the
> pbAnalyzer-dev group to have full r/w access on the entire pbAnalyzer
> repository, then you should be writing:  [pbAnalyzer:/]

Thanks, didn't know that.

> > Now, I just have to make apache process switch use to the svn user when
> > accessing the repository. But its already using the its own apache user,
> > group, so is it possible for it to switch to the svn user? Or should I
> > make group owner of '/srv/svn' apache?
> 
> Your life will be simpler if you make apache run as the 'svn' user.

Wouldn't this affect using apache for anything else other than
subversion? Either way I see it, I'd have to use mixed permission
between the subversion repository contents and web server contents
(whether its apache or svn?

I guess a third option, is to run a seperate apache process on another
port?

Tom


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: webdav configuration setup

Posted by Ben Collins-Sussman <su...@collab.net>.

On Thu, 2004-04-08 at 08:16, Tom Hosiawa wrote:

> All the repositories are in '/srv/svn'.
> 
> I created a user svn and group svn, with the svn user's home='srv/svn'
> and shell='/bin/false'
> 
> I have the following in httpd.conf:
> ====================================================
> <Location /svn>
> 	DAV svn
> 	SVNParentPath /srv/svn
> 	SVNIndexXSLT "/svnindex.xsl"
> 	
> 	# user authentication
> 	AuthType Basic
> 	AuthName "Subversion repository"
> 	AuthUserFile /srv/svn/conf/svn_users
> 	
> 	# allow anonymous read access
> 	Satisfy Any
> 	Require valid-user

Make sure your server is running 1.0.1 if you plan to use "Satisfy Any"
and "Require valid-user" together.

> 	
> 	# access control policy
> 	AuthzSVNAccessFile /srv/svn/conf/svn_policy
> </Location>
> ===================================================
> 
> and svn_policy:
> ===================================================
> [groups]
> pbAnalyzer-dev = svn
> 
> [pbAnalyzer:/svn/pbAnalyzer]

You should be talking about paths *within* the pbAnalyzer repository. 
In other words, the /svn/pbAnalyzer is the location of the repository
itself.  Within the policy file, you should be talking about "imaginary"
paths within particular repositories.  For example, if you want the
pbAnalyzer-dev group to have full r/w access on the entire pbAnalyzer
repository, then you should be writing:  [pbAnalyzer:/]

> Now, I just have to make apache process switch use to the svn user when
> accessing the repository. But its already using the its own apache user,
> group, so is it possible for it to switch to the svn user? Or should I
> make group owner of '/srv/svn' apache?

Your life will be simpler if you make apache run as the 'svn' user.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org