You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jehan PROCACCIA <Je...@int-evry.fr> on 2006/10/10 13:29:00 UTC
svn authz users strategies
hello,
I am trying to fine grained acces controls, here's a simple scenario, my
authz file (called from svnserve.conf) contain that:
[svn@share /var/www/svnweb/repos/s2ia/conf]
$ cat authz
[groups]
s2ia = procacci,tutu
[/]
@s2ia = r
[/procacci]
procacci = rw
tutu =
[/tutu]
tutu = rw
procacci =
I want both users procacci and tutu to have full access to their
personnal "subdirectory" in the s2ia repository, but no rights to others
directory.
It seems to work, exept that now there's a only a Read acces to / for
the group , tutu is unable to perform it's initial import:
[tutu@anaconda ~]
$svn import ./tutu -m "import initial tutu"
svn+ssh://svn@share.int-evry.fr/var/www/svnweb/repos/s2ia/tutu
svn: Access denied
I don't want to set rw on / because I don't want users to "garbage" the
repository with /xxx "subdirectories" anywhere, I want them to be able
to write only below their username (/login). You might says that I could
create a repository for each and every users, but I don't want to manage
hundreds of repository config :-( .
Any advice ?
PS: by the way, I also tried to set "absolute" path in authz file, like
[s2ia:/procacci] procacci = rw, but then I always get authorization
refused for every svn command as user procacci :-( ! why I can't set the
repository in front of the access rule ?
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn authz users strategies
Posted by Jehan PROCACCIA <Je...@int-evry.fr>.
Russ wrote:
> I think you will need to enable read/write on / and use a pre-commit hook to disallow commits to /.
>
if I disallow commits to /, I'am afraid that "svn import" will be
disallow as well ?
Anyway, I would like to give it a try, but I nerver played with hooks
.... if ever you have a sample pre-commit that do that, please let me know .
I've seen the sample provided in repo/hook/pre-commit.tmpl, it calls
/usr/share/doc/subversion-1.3.2/tools/hook-scripts/commit-access-control.pl
/usr/share/doc/subversion-1.3.2/tools/hook-scripts/commit-access-control.cfg.example
why having that complicated "workaround" instead of directly use authz
file ?
Thanks for your help.
> Russ
> Sent wirelessly via BlackBerry from T-Mobile.
>
> -----Original Message-----
> From: Jehan PROCACCIA <Je...@int-evry.fr>
> Date: Tue, 10 Oct 2006 15:29:00
> To:users@subversion.tigris.org
> Subject: svn authz users strategies
>
> hello,
> I am trying to fine grained acces controls, here's a simple scenario, my
> authz file (called from svnserve.conf) contain that:
> [svn@share /var/www/svnweb/repos/s2ia/conf]
> $ cat authz
> [groups]
> s2ia = procacci,tutu
> [/]
> @s2ia = r
> [/procacci]
> procacci = rw
> tutu =
> [/tutu]
> tutu = rw
> procacci =
>
> I want both users procacci and tutu to have full access to their
> personnal "subdirectory" in the s2ia repository, but no rights to others
> directory.
> It seems to work, exept that now there's a only a Read acces to / for
> the group , tutu is unable to perform it's initial import:
>
> [tutu@anaconda ~]
> $svn import ./tutu -m "import initial tutu"
> svn+ssh://svn@share.int-evry.fr/var/www/svnweb/repos/s2ia/tutu
> svn: Access denied
>
> I don't want to set rw on / because I don't want users to "garbage" the
> repository with /xxx "subdirectories" anywhere, I want them to be able
> to write only below their username (/login). You might says that I could
> create a repository for each and every users, but I don't want to manage
> hundreds of repository config :-( .
> Any advice ?
>
> PS: by the way, I also tried to set "absolute" path in authz file, like
> [s2ia:/procacci] procacci = rw, but then I always get authorization
> refused for every svn command as user procacci :-( ! why I can't set the
> repository in front of the access rule ?
>
> Thanks.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn authz users strategies
Posted by Russ <rs...@istandfor.com>.
I think you will need to enable read/write on / and use a pre-commit hook to disallow commits to /.
Russ
Sent wirelessly via BlackBerry from T-Mobile.
-----Original Message-----
From: Jehan PROCACCIA <Je...@int-evry.fr>
Date: Tue, 10 Oct 2006 15:29:00
To:users@subversion.tigris.org
Subject: svn authz users strategies
hello,
I am trying to fine grained acces controls, here's a simple scenario, my
authz file (called from svnserve.conf) contain that:
[svn@share /var/www/svnweb/repos/s2ia/conf]
$ cat authz
[groups]
s2ia = procacci,tutu
[/]
@s2ia = r
[/procacci]
procacci = rw
tutu =
[/tutu]
tutu = rw
procacci =
I want both users procacci and tutu to have full access to their
personnal "subdirectory" in the s2ia repository, but no rights to others
directory.
It seems to work, exept that now there's a only a Read acces to / for
the group , tutu is unable to perform it's initial import:
[tutu@anaconda ~]
$svn import ./tutu -m "import initial tutu"
svn+ssh://svn@share.int-evry.fr/var/www/svnweb/repos/s2ia/tutu
svn: Access denied
I don't want to set rw on / because I don't want users to "garbage" the
repository with /xxx "subdirectories" anywhere, I want them to be able
to write only below their username (/login). You might says that I could
create a repository for each and every users, but I don't want to manage
hundreds of repository config :-( .
Any advice ?
PS: by the way, I also tried to set "absolute" path in authz file, like
[s2ia:/procacci] procacci = rw, but then I always get authorization
refused for every svn command as user procacci :-( ! why I can't set the
repository in front of the access rule ?
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svn authz users strategies
Posted by Thomas Hemmer <th...@go-engineering.de>.
Jehan,
I have been treating the repository root as belonging to some kind of
svn superuser.
The superuser is the only one having commit access to the root level
which implies that anyone wishing to allocate a new project will have to
ask the superuser to do so for him.
Once the project exists this restriction will not matter any more since
procacci and tutu both have the required access privileges to their
respective svn directories.
Since allocating new projects is surely not such a frequent job the
effort of creating those folders should not overcharge the repository
administrator (aka superuser) ;-)
Hope this helps,
Thomas
> -----Original Message-----
> From: Jehan PROCACCIA [mailto:Jehan.Procaccia@int-evry.fr]
> Sent: Tuesday, October 10, 2006 3:29 PM
> To: users@subversion.tigris.org
> Subject: svn authz users strategies
>
> hello,
> I am trying to fine grained acces controls, here's a simple
> scenario, my authz file (called from svnserve.conf) contain that:
> [svn@share /var/www/svnweb/repos/s2ia/conf] $ cat authz
> [groups] s2ia = procacci,tutu [/] @s2ia = r [/procacci]
> procacci = rw tutu = [/tutu] tutu = rw procacci =
>
> I want both users procacci and tutu to have full access to
> their personnal "subdirectory" in the s2ia repository, but no
> rights to others directory.
> It seems to work, exept that now there's a only a Read acces
> to / for the group , tutu is unable to perform it's initial import:
>
> [tutu@anaconda ~]
> $svn import ./tutu -m "import initial tutu"
> svn+ssh://svn@share.int-evry.fr/var/www/svnweb/repos/s2ia/tutu
> svn: Access denied
>
> I don't want to set rw on / because I don't want users to
> "garbage" the repository with /xxx "subdirectories" anywhere,
> I want them to be able to write only below their username
> (/login). You might says that I could create a repository for
> each and every users, but I don't want to manage hundreds of
> repository config :-( .
> Any advice ?
>
> PS: by the way, I also tried to set "absolute" path in authz
> file, like [s2ia:/procacci] procacci = rw, but then I always
> get authorization refused for every svn command as user
> procacci :-( ! why I can't set the repository in front of the
> access rule ?
>
> Thanks.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org