You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Can Burak Cilingir <ca...@babun.org> on 2004/05/03 10:05:56 UTC
system user authentication
hi.
is it possible to use system accounts with svn[serve]?
/svnroot/repos* has some repositories.. where folders are owned by
different system groups. manual says svn[serve] has blanket control
which i understood that any user authenticated with svn[seve] would
access all of the repositories.
i set up a system with mod_svn_authz but not comfortable with it because
it brings up some administrative load. most suitable solution seems ssh
tunnel but users won't have ssh login. (ftp is possible if it helps)
i try to build up a solution where:
* everyone will have read access to all of the repositories
* only users of the group where, repos folder is owned by will have
write access
* giving access to other users will be as simple as "add a new user to
the system, add this user to the repos' group"
i am thinking of adding svn as a subsytem to ssh like sftp, but is on
hold until it is the last choice :)
what may be the solution for this scenario?
thanks
--
Can Burak Cilingir
icq#10720999
http://canb.net/
...
ford, you are turning into an infinite number of penguins
can@canb.net gecici olarak servis disi,
can@babun.org'u kullanabilirsiniz.
can@canb.net is temporarily out of service,
you may use can@babun.org.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: system user authentication
Posted by Dimitri Papadopoulos-Orfanos <pa...@shfj.cea.fr>.
Hi,
> is it possible to use system accounts with svn[serve]?
>
> /svnroot/repos* has some repositories.. where folders are owned by
> different system groups. manual says svn[serve] has blanket control
> which i understood that any user authenticated with svn[seve] would
> access all of the repositories.
>
> i set up a system with mod_svn_authz but not comfortable with it because
> it brings up some administrative load. most suitable solution seems ssh
> tunnel but users won't have ssh login. (ftp is possible if it helps)
Unfortunately users need SSH login if you're using svn+ssh. But you
could assign constrained shells to their accounts.
> i try to build up a solution where:
> * everyone will have read access to all of the repositories
> * only users of the group where, repos folder is owned by will have
> write access
> * giving access to other users will be as simple as "add a new user to
> the system, add this user to the repos' group"
Have a look at "The svn+ssh:// server checklist":
http://svnbook.red-bean.com/svnbook/ch06s05.html
The only simple way I've found is using Red Hat's "group per user" user
management style. Each user has his own group and also belongs to
additional groups. In your case you'll have to use an umask which is not
necessarily acceptable at your place (by default all files are created
to be readable by everyone):
$ umask
0002
$
Create a Subversion user/group, for example svn/svn. The repository
top-level directory should belong to group svn and have the following
access rights so that everyone is able to read it (note that the "set
group ID" bit is set on that directory) and only those belonging to
group svn are able to write to it:
$ ls -dl /repos
drwxrwsr-x 7 svn svn 4096 may 1 00:00 /repos
$
Only users that belong to group svn can write to the repository. New
files belong to group svn.
Finally each project should have its own group, for example pro. The
project top-level directory should belong to group pro and the "set
group ID" bit must be set:
$ ls -dl /repos/project
drwxrwsr-x 7 pro pro 4096 may 1 00:00 /repos/project
$
Only users that belong to group pro can write to the project. New files
belong to group pro.
For more complex security schemes, you'll have to use ACLs. See for example:
http://acl.bestbits.at/about.html
> i am thinking of adding svn as a subsytem to ssh like sftp, but is on
> hold until it is the last choice :)
I'd be interested on feedback if you implement that...
> what may be the solution for this scenario?
It seems there's no definitive answer. For example see:
http://subversion.tigris.org/servlets/ReadMsg?list=users&msgNo=10352
--
Dimitri
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org