You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by sa...@reuters.com on 2004/07/22 16:00:22 UTC
Security question for http
Hello All,
I am trying to set up Subversion and I am successfully able to do so.
All 3 protocol file,svn and http is working fine.
But for http to work I have to do a chmod '666' in the 'db' directory of the repository.
I am running apache as 'nobody' and 'nogroup'. We are running other process on the server so I would not like to run apache as any other user(like svn)
Is it possible to do so ? I could not find any information on the same.
Any help or direction will be great.
-Regards
Santanu Misra
-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Security question for http
Posted by Martin Probst <ma...@martin-probst.com>.
> Why don't you create a www user and group, run apache as that ,
> and chown the repo you want it to manage?
Or create a group "wwwsvnrepos", have the Apache user be part of that
group and chown :wwwsvnrepos the repository?
mfg
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Security question for http
Posted by Dick Davies <ra...@hellooperator.net>.
* santanu.misra@reuters.com <sa...@reuters.com> [0725 17:25]:
>
> Hello All,
>
> I am trying to set up Subversion and I am successfully able to do so.
> All 3 protocol file,svn and http is working fine.
>
> But for http to work I have to do a chmod '666' in the 'db' directory of the repository.
> I am running apache as 'nobody' and 'nogroup'. We are running other process on the server so I would not like to run apache as any other user(like svn)
>
> Is it possible to do so ? I could not find any information on the same.
>
> Any help or direction will be great.
Why don't you create a www user and group, run apache as that , and chown the repo you want it to manage?
--
Hain't we got all the fools in town on our side? And hain't that a big
enough majority in any town?
-- Mark Twain, "Huckleberry Finn"
Rasputin :: Jack of All Trades - Master of Nuns
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Security question for http
Posted by Brian Mathis <bm...@directedge.com>.
Seth Falcon wrote:
> On Thu, Jul 22, 2004 at 06:00:22PM +0200, santanu.misra@reuters.com
> wrote:
>
>>But for http to work I have to do a chmod '666' in the 'db' directory
>>of the repository. I am running apache as 'nobody' and 'nogroup'. We
>>are running other process on the server so I would not like to run
>>apache as any other user(like svn)
>
>>Is it possible to do so ? I could not find any information on the
>>same.
>
> My understanding is that you should run Apache as the user that owns the
> repos. Note that you can run multiple Apache instances if you wish to
> isolate Apache+svn from general web serving Apache...
>
> + seth
Or, as a more helpful and conceptually inverted suggestion, the repos
should be owned by the same user that runs apache, in this case 'nobody'.
It's the same exact thing, except this slight difference does not mean a
whole new apache install on a different port with a whole host of other
issues. A simple 'chown -R' would suffice.
--
Brian Mathis
http://directedge.com/b/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Security question for http
Posted by Ben Collins-Sussman <su...@collab.net>.
On Thu, 2004-07-22 at 11:37, Seth Falcon wrote:
> My understanding is that you should run Apache as the user that owns the
> repos.
Or, as I like to phrase it, "make the repos owned by whatever user
Apache runs as". :-)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Security question for http
Posted by Scott Barron <sc...@elitists.net>.
On Thu, Jul 22, 2004 at 09:37:37AM -0700, Seth Falcon wrote:
> On Thu, Jul 22, 2004 at 06:00:22PM +0200, santanu.misra@reuters.com
> wrote:
> > But for http to work I have to do a chmod '666' in the 'db' directory
> > of the repository. I am running apache as 'nobody' and 'nogroup'. We
> > are running other process on the server so I would not like to run
> > apache as any other user(like svn)
>
> > Is it possible to do so ? I could not find any information on the
> > same.
>
> My understanding is that you should run Apache as the user that owns the
> repos. Note that you can run multiple Apache instances if you wish to
> isolate Apache+svn from general web serving Apache...
>
> + seth
Running multiple apache's is precisely what I'm doing to solve this
problem. There is an MPM for apache2 which would allow you to set UID
per vhost but I believe it is in quite a state of disrepair and,
unfortunately, not actively developed. I set my svn apache to listen
only on the local interface, and some other port (like 8080 or what have
you) and then I use mod_proxy to reverse proxy from the web apache so I
don't have to pass around any port numbers to my users. It all works
out really well.
-Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Security question for http
Posted by Seth Falcon <sf...@fhcrc.org>.
On Thu, Jul 22, 2004 at 06:00:22PM +0200, santanu.misra@reuters.com
wrote:
> But for http to work I have to do a chmod '666' in the 'db' directory
> of the repository. I am running apache as 'nobody' and 'nogroup'. We
> are running other process on the server so I would not like to run
> apache as any other user(like svn)
> Is it possible to do so ? I could not find any information on the
> same.
My understanding is that you should run Apache as the user that owns the
repos. Note that you can run multiple Apache instances if you wish to
isolate Apache+svn from general web serving Apache...
+ seth
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org