You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Blair Zajac <bl...@orcaware.com> on 2002/07/01 01:52:39 UTC
start-commit user access scripts
I'm looking at COMMITTERS and I'm guessing that there's a script on
svn.collab.net that is run from start-commit that checks to make
sure a particular user can modify portions of the repository.
If this is the case, can somebody who has access to svn.collab.net add
the scripts that check this to the svn repos? My own svn tree needs
to limit user privileges.
Thanks,
Blair
--
Blair Zajac <bl...@orcaware.com>
Web and OS performance plots - http://www.orcaware.com/orca/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: start-commit user access scripts
Posted by Karl Fogel <kf...@newton.ch.collab.net>.
Blair Zajac <bl...@orcaware.com> writes:
> I'm looking at COMMITTERS and I'm guessing that there's a script on
> svn.collab.net that is run from start-commit that checks to make
> sure a particular user can modify portions of the repository.
>
> If this is the case, can somebody who has access to svn.collab.net add
> the scripts that check this to the svn repos? My own svn tree needs
> to limit user privileges.
Actually, it's done with an Apache directive in httpd.conf:
<Location /repos/svn>
DAV svn
SVNPath /usr/www/repositories/svn
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /path/to/user-password-file
<LimitExcept GET PROPFIND OPTIONS REPORT>
require valid-user
</LimitExcept>
</Location>
You can guess what `user-password-file' looks like:
sussman:3cWfQ5Fd3IHDs
cmpilato:l/Reg4KcCoRzA
daniel:SPdOtlrj3Tulo
rassilon:fJQV.wcKXsv1s
joe:Mj5PfWII6owEc
ghudson:269Bj0om7dcck
kfogel:kWHEfNSw8E072
fitz:yQ6e3UKenEtHs
gstein:eqdruAKenuVIY
brane:KDo7y/rCeccpI
kevin:Y8cSAmqwlcE9c
jimb:EXYREM6Z.WXwg
XelaRellum:wxdbNuNbFBY8g
david:8rToUdoo7RU16
yoshiki:qFKod7M78YfKM
philip:Xe3ni9SyCn9Vo
striker:kZJZDbRT494YE
jerenkrantz:Qyh9cksgD0/zQ
rooneg:7M0spRgNEsXj2
kbohling:plf1/rKKv16Fg
bcollins:0gp5G.XWEzb2.
blair:j3yae38dSetTg
naked:PT08jPeEmyC32
nsd:cNhtNRN25Asoo
And no, those aren't their real encrypted passwords :-).
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: start-commit user access scripts
Posted by Ben Collins-Sussman <su...@collab.net>.
Karl Fogel <kf...@newton.ch.collab.net> writes:
> "Sander Striker" <st...@apache.org> writes:
> > No, it is not possible to do this in a simple way yet. See this thread:
> > http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=10466
>
> Oh, whups! Forgot about that problem. Dang.
>
> I've filed new issue #775 about this, putting it in Beta for now. We
> may reprioritize it after Greg Stein gets back and can contribute to
> this. It's clear from your response in the above-referenced thread
> that this problem is not trivial...
For now, you can get finer-grained authorization control by writing a
custom pre-commit hook script.
Just have the script use 'svnlook' to examine the pending transaction
and username. The script can grep for the paths that are being
changed, and decide if the user is allowed to change them or not. If
not, have the script exit non-zero, and the commit will be aborted.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: start-commit user access scripts
Posted by Karl Fogel <kf...@newton.ch.collab.net>.
"Sander Striker" <st...@apache.org> writes:
> No, it is not possible to do this in a simple way yet. See this thread:
> http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=10466
Oh, whups! Forgot about that problem. Dang.
I've filed new issue #775 about this, putting it in Beta for now. We
may reprioritize it after Greg Stein gets back and can contribute to
this. It's clear from your response in the above-referenced thread
that this problem is not trivial...
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: start-commit user access scripts
Posted by Sander Striker <st...@apache.org>.
> From: Karl Fogel [mailto:kfogel@newton.ch.collab.net]
> Sent: 01 July 2002 04:07
> Blair Zajac <bl...@orcaware.com> writes:
> > I haven't tested this, but if you have a repository set up like
> >
> > repos/1
> > repos/2
> >
> > and user A has write access via <LimitExcept> to 1 but not to 2 and
> > attempts a commit to 1 and 2, then it'll fail?
No, it is not possible to do this in a simple way yet. See this thread:
http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=10466
[and related threads that I can't seem to locate quickly]
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: start-commit user access scripts
Posted by Karl Fogel <kf...@newton.ch.collab.net>.
Blair Zajac <bl...@orcaware.com> writes:
> I haven't tested this, but if you have a repository set up like
>
> repos/1
> repos/2
>
> and user A has write access via <LimitExcept> to 1 but not to 2 and
> attempts a commit to 1 and 2, then it'll fail?
Should, yeah. Let us know... :-)
-K
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: start-commit user access scripts
Posted by Blair Zajac <bl...@orcaware.com>.
Garrett Rooney wrote:
>
> On Sun, Jun 30, 2002 at 06:52:39PM -0700, Blair Zajac wrote:
> > I'm looking at COMMITTERS and I'm guessing that there's a script on
> > svn.collab.net that is run from start-commit that checks to make
> > sure a particular user can modify portions of the repository.
> >
> > If this is the case, can somebody who has access to svn.collab.net add
> > the scripts that check this to the svn repos? My own svn tree needs
> > to limit user privileges.
>
> actually, it's all being handled by apache, via a <LimitExcept> clause
> in httpd.conf. in order to perform certain actions on the repository,
> you just have to have a valid user (http authentication). check out
> INSTALL for details on how to set that up.
OK. I've already got Apache set up that way. I just figured there
would be an easier way to set this up, ala the way CVS is set up for
the Apache CVS archives with commit_check, commit_prep and the acl
files.
I haven't tested this, but if you have a repository set up like
repos/1
repos/2
and user A has write access via <LimitExcept> to 1 but not to 2 and
attempts a commit to 1 and 2, then it'll fail?
Best,
Blair
--
Blair Zajac <bl...@orcaware.com>
Web and OS performance plots - http://www.orcaware.com/orca/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: start-commit user access scripts
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On Sun, Jun 30, 2002 at 06:52:39PM -0700, Blair Zajac wrote:
> I'm looking at COMMITTERS and I'm guessing that there's a script on
> svn.collab.net that is run from start-commit that checks to make
> sure a particular user can modify portions of the repository.
>
> If this is the case, can somebody who has access to svn.collab.net add
> the scripts that check this to the svn repos? My own svn tree needs
> to limit user privileges.
actually, it's all being handled by apache, via a <LimitExcept> clause
in httpd.conf. in order to perform certain actions on the repository,
you just have to have a valid user (http authentication). check out
INSTALL for details on how to set that up.
-garrett
--
garrett rooney Remember, any design flaw you're
rooneg@electricjellyfish.net sufficiently snide about becomes
http://electricjellyfish.net/ a feature. -- Dan Sugalski
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org