You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Lars Gullik Bjønnes <la...@gullik.net> on 2005/11/15 09:38:29 UTC
[gmane.comp.version-control.subversion.user] Running svnserve as suid svn
I did not get any answers on this one at the users lists, so I try my
luck here as well.
Re: [gmane.comp.version-control.subversion.user] Running svnserve as suid svn
Posted by kf...@collab.net.
larsbj@gullik.net (Lars Gullik Bjønnes) writes:
> I did not get any answers on this one at the users lists, so I try my
> luck here as well.
Just because you did not get any answers on the users@ list does not
make your post appropriate for dev@subversion.tigris.org. The charter
of dev@ does not change when posts on users@ go unanswered :-).
I wish you luck with your svn+ssh:// question, but this list is about
the development of Subversion itself. A good way to tell when a
question is appropriate here is to ask yourself if the answer to the
question would help Subversion development more, or would help the
poster more. If the latter, the question probably doesn't belong on
this list. Please help us keep dev@ traffic down -- it's already busy
enough here.
Although I'm responding to your original post, I'm quoting Alan
Barrett's reply below, so that people on users@ (which I have CC'd)
can benefit from the answer.
Best,
-Karl
> From: Alan Barrett <ap...@cequrux.com>
> Subject: Re: [gmane.comp.version-control.subversion.user] Running svnserve as suid svn
> To: dev@subversion.tigris.org
> Date: Tue, 15 Nov 2005 12:09:37 +0200
>
> On Tue, 15 Nov 2005, Lars Gullik Bjønnes wrote:
> > For several reasons we are required to use svn+ssh:// to access our
> > svn repo, at the same time we then dislike that we must have a common
> > group for all the svn users, and that the users then can muck around
> > in the repo itself and create (unintentinal) havoc.
>
> You don't need to put all the users in a group that can access the
> file system that contains the repository. Search for "It is also
> possible to have multiple users share a single account" in the red-bean
> book (http://svnbook.red-bean.com/). Then your users will access
> the repository via URLs like svn+ssh://subversion@hostname/reponame/
> (all users sharing the "subversion" account on the server side, but
> restricted by ssh configuration so that they can only run svnserve, they
> can't login directly as the "subversion" user).
>
> > It seems ut us that a (temporal, until svnserve support SASL/SSL)
> > solution might be to make the svnserve binary suid svn.
> > Is this something anyone has tried? Will it work as expected, or will
> > it burn down the house?
>
> Search the dev mailing list archives for patches from Perry Metzger to
> allow svnserve to run setuid or setgid (I forget what Perry implemented,
> and I don't use those patches).
>
> --apb (Alan Barrett)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [gmane.comp.version-control.subversion.user] Running svnserve as suid svn
Posted by kf...@collab.net.
larsbj@gullik.net (Lars Gullik Bjønnes) writes:
> I did not get any answers on this one at the users lists, so I try my
> luck here as well.
Just because you did not get any answers on the users@ list does not
make your post appropriate for dev@subversion.tigris.org. The charter
of dev@ does not change when posts on users@ go unanswered :-).
I wish you luck with your svn+ssh:// question, but this list is about
the development of Subversion itself. A good way to tell when a
question is appropriate here is to ask yourself if the answer to the
question would help Subversion development more, or would help the
poster more. If the latter, the question probably doesn't belong on
this list. Please help us keep dev@ traffic down -- it's already busy
enough here.
Although I'm responding to your original post, I'm quoting Alan
Barrett's reply below, so that people on users@ (which I have CC'd)
can benefit from the answer.
Best,
-Karl
> From: Alan Barrett <ap...@cequrux.com>
> Subject: Re: [gmane.comp.version-control.subversion.user] Running svnserve as suid svn
> To: dev@subversion.tigris.org
> Date: Tue, 15 Nov 2005 12:09:37 +0200
>
> On Tue, 15 Nov 2005, Lars Gullik Bjønnes wrote:
> > For several reasons we are required to use svn+ssh:// to access our
> > svn repo, at the same time we then dislike that we must have a common
> > group for all the svn users, and that the users then can muck around
> > in the repo itself and create (unintentinal) havoc.
>
> You don't need to put all the users in a group that can access the
> file system that contains the repository. Search for "It is also
> possible to have multiple users share a single account" in the red-bean
> book (http://svnbook.red-bean.com/). Then your users will access
> the repository via URLs like svn+ssh://subversion@hostname/reponame/
> (all users sharing the "subversion" account on the server side, but
> restricted by ssh configuration so that they can only run svnserve, they
> can't login directly as the "subversion" user).
>
> > It seems ut us that a (temporal, until svnserve support SASL/SSL)
> > solution might be to make the svnserve binary suid svn.
> > Is this something anyone has tried? Will it work as expected, or will
> > it burn down the house?
>
> Search the dev mailing list archives for patches from Perry Metzger to
> allow svnserve to run setuid or setgid (I forget what Perry implemented,
> and I don't use those patches).
>
> --apb (Alan Barrett)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: [gmane.comp.version-control.subversion.user] Running svnserve as suid svn
Posted by Alan Barrett <ap...@cequrux.com>.
On Tue, 15 Nov 2005, Lars Gullik Bjønnes wrote:
> For several reasons we are required to use svn+ssh:// to access our
> svn repo, at the same time we then dislike that we must have a common
> group for all the svn users, and that the users then can muck around
> in the repo itself and create (unintentinal) havoc.
You don't need to put all the users in a group that can access the
file system that contains the repository. Search for "It is also
possible to have multiple users share a single account" in the red-bean
book (http://svnbook.red-bean.com/). Then your users will access
the repository via URLs like svn+ssh://subversion@hostname/reponame/
(all users sharing the "subversion" account on the server side, but
restricted by ssh configuration so that they can only run svnserve, they
can't login directly as the "subversion" user).
> It seems ut us that a (temporal, until svnserve support SASL/SSL)
> solution might be to make the svnserve binary suid svn.
> Is this something anyone has tried? Will it work as expected, or will
> it burn down the house?
Search the dev mailing list archives for patches from Perry Metzger to
allow svnserve to run setuid or setgid (I forget what Perry implemented,
and I don't use those patches).
--apb (Alan Barrett)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org