You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jano <al...@mosteo.com> on 2004/07/21 09:06:17 UTC
Problem with permissions
Hi,
I'm trying to automate the backup of a repository via a cron job. The
setup is as follows:
The repository is accessed via Apache2, which is run under the nobody
disabled account. Hence, the repository is owned by nobody since it
doesn't work otherwise.
When I try to do manually an operation requiring svnadmin, I must su
root because if not I get:
svn: Berkeley DB error while opening environment for filesystem
/home/jano/svn/db: Permission denied
The same happens when I run my script: it only works if I'm root. I've
tried changing the owner to nobody or setting the setuid flag, but it
gives the same failure. I must note that the repository was created with
svnadmin as root.
I would want to run the script not under the root account, if possible.
Is there something I can do, or have I some misconfiguration in place?
Apart from this, everything works flawlessly.
Thanks in advance,
Alex.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Problem with permissions
Posted by Jano <al...@mosteo.com>.
Martin Probst wrote:
> Hi,
>
>
>>>>The repository is accessed via Apache2, which is run under the nobody
>>>>disabled account. Hence, the repository is owned by nobody since it
>>>>doesn't work otherwise.
>
>
> I think the common way of doing that would be to have the BDB files
> owned by the Apache user but being in a special svn administration
> group, e.g.
>
>>drwxrwxr-x 7 apache svnadm 224 1. Jun 16:27 /var/svn/repos/
>
> Now the user administrating the svn repository has to be a member of
> that svnadm group. That way this user has write access to the subversion
> repository but not to the Apache configuration etc.
> You can of course fine tune this further by having own groups for every
> repository. And don't change subversions config files to this group,
> keep it for repository administration only.
Sounds good, I'm going to try something along this line.
>>Interesting enough, there is an 'apache' account in my system... it has
>>!! in the /etc/shadow password field, whatever that means...
>
>
> That is the common way of "disabling" a user account. Set its encrypted
> password to something which can't be generated by crypt. So the apache
> account is disabled but that is a good thing. It basically means that
> only root can use that account by "su"ing into it and running apache.
> This makes it impossible for evil users to gain access via that account.
Ok, I was being confused because some accounts have a '*' while others
have '!!'. I had supposed it could mean something different from a
normal disabled account.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Problem with permissions
Posted by Martin Probst <ma...@martin-probst.com>.
Hi,
> >>The repository is accessed via Apache2, which is run under the nobody
> >>disabled account. Hence, the repository is owned by nobody since it
> >>doesn't work otherwise.
I think the common way of doing that would be to have the BDB files
owned by the Apache user but being in a special svn administration
group, e.g.
> drwxrwxr-x 7 apache svnadm 224 1. Jun 16:27 /var/svn/repos/
Now the user administrating the svn repository has to be a member of
that svnadm group. That way this user has write access to the subversion
repository but not to the Apache configuration etc.
You can of course fine tune this further by having own groups for every
repository. And don't change subversions config files to this group,
keep it for repository administration only.
> Interesting enough, there is an 'apache' account in my system... it has
> !! in the /etc/shadow password field, whatever that means...
That is the common way of "disabling" a user account. Set its encrypted
password to something which can't be generated by crypt. So the apache
account is disabled but that is a good thing. It basically means that
only root can use that account by "su"ing into it and running apache.
This makes it impossible for evil users to gain access via that account.
Every accounted that is not used for real login sessions by users
(basically every accounted which is just used to run daemons under it)
should be locked this way.
mfg
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Problem with permissions
Posted by Jano <al...@mosteo.com>.
Ulrich Eckhardt wrote:
> Jano wrote:
>
>>The repository is accessed via Apache2, which is run under the nobody
>>disabled account. Hence, the repository is owned by nobody since it
>>doesn't work otherwise.
>
> [...]
>
>>I would want to run the script not under the root account, if possible.
>>Is there something I can do, or have I some misconfiguration in place?
>
>
> I think that the user 'nobody' should never own any files or directories. I
> can imagine that this user intentionally can't create temporary files, which
> would probably mess up the BDB access.
> As far as Apache is concerned, isn't it normal to run that as user 'www' or
> 'www-data'? I think that would also be right in your case, i.e. let the
> repository be owned by that instead of 'nobody'.
Mmmmm, I frankly don't know about the nobody limitations. I'm using a
slightly tweaked default config file which came with Apache and I didn't
touch that. ITOH, I've been working with this configuration for some
time without any other problem.
Preliminary googling hints at nobody being a regular user account, in my
case disabled and only used by Apache AFAIK. So I don't think I will
gain anything moving things to www... :/
Interesting enough, there is an 'apache' account in my system... it has
!! in the /etc/shadow password field, whatever that means...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Problem with permissions
Posted by Ulrich Eckhardt <ec...@satorlaser.com>.
Jano wrote:
> The repository is accessed via Apache2, which is run under the nobody
> disabled account. Hence, the repository is owned by nobody since it
> doesn't work otherwise.
[...]
> I would want to run the script not under the root account, if possible.
> Is there something I can do, or have I some misconfiguration in place?
I think that the user 'nobody' should never own any files or directories. I
can imagine that this user intentionally can't create temporary files, which
would probably mess up the BDB access.
As far as Apache is concerned, isn't it normal to run that as user 'www' or
'www-data'? I think that would also be right in your case, i.e. let the
repository be owned by that instead of 'nobody'.
hth
Uli
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org