You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Travis Love <dr...@gmail.com> on 2006/07/26 18:51:10 UTC
NIS and Group control
I have Apache configured to access the SVN repository through NIS.
However, the NIS table has a number of users I don't want to access
the repository. Is there any way for me to restrict access to that
particular group?
Any advice would be appreciated,
Travis Love
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: NIS and Group control
Posted by Travis Love <dr...@gmail.com>.
This functions very well. that command is tested and correct. Thank
you very much, you've been a great help.
Also, because that uses groups, I don't have to cron job it, just run
it whenever there's a change in group membership (which should be
rare, given my current deployment.)
Thanks a lot,
Travis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: NIS and Group control
Posted by Duane Griffin <d....@psenterprise.com>.
On Thu, 2006-07-27 at 16:17 -0400, Travis Love wrote:
> Once more, I promise. I've done everything, and it seems there are
> still some tweaks that need doing that haven't been documented, so
> once more. svnperms.conf is in /svn/repos/conf, svnperms.py and
> pre-commit are in /svn/repos/hooks. This is what they look like:
[snip]
The pre-commit hook won't help you prevent people from viewing the
repository. Nor will any other type of hook, I'm afraid. As far as I
know the best approach is to use the NIS for authentication and authz
for access control (and yes, this will involve a cron job). You've
already got apache configured to use NIS through PAM, so that part is
fine. Now you need to setup authz access control:
...
LoadModule authz_svn_module modules/mod_authz_svn.so
...
<Location /repo>
...
AuthzSVNAccessFile /var/svn/repo/conf/passwd
...
</Location>
Create the access-control file from a cron job with something like this:
ypcat group | awk -F : 'BEGIN {print "[/]\n* =\n@reviewers = r\n@writers
= rw\n\n[groups]"} {print $1, "=", $4}' > /var/svn/repo/conf/passwd
(Note: eyeball tested only!)
If it is possible to configure apache to do the access-control based on
the user's group that would be preferable, but I can't help with that.
The setup I've described is similar to what we use here, so I know it
works in principle.
> That's everything I've modified. I can access the repository as
> either the group user or as a non-group user. Both users are
> authenticated through NIS, neither user is a member of a group
> "group1" in /etc/passwd, SVN server is running Fedora Core 5. I want
> to let the group user have all permissions and the non-group user be
> unable to see the code. Can I even do this with NIS authentication,
> or do I need to have a cron job dump the NIS table to a file for
> subversion to use over svnserve?
>
> Paranoia? No. I'm implementing this for a Comp. Sci professor, who
> is very concerned about code theft/plagiarism among his students.
>
> Thanks for any help you can give, I'm very stuck here.
> -Travis
Hope this helps!
Cheers,
Duane.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: NIS and Group control
Posted by Travis Love <dr...@gmail.com>.
Once more, I promise. I've done everything, and it seems there are
still some tweaks that need doing that haven't been documented, so
once more. svnperms.conf is in /svn/repos/conf, svnperms.py and
pre-commit are in /svn/repos/hooks. This is what they look like:
--svnperms.conf--
[groups]
group1 = tlove2
--svnperms.py--
[Ripped straight from subversion source. Do modifications need to be made?]
--pre-commit--
[Template, only with]
svnperms.py -r "$REPOS" -t "$TXN" || exit 1
[instead of the other two "exit 1" lines]
httpd.conf looks like:
<VirtualHost *>
DocumentRoot "/svn/repos"
ServerName svntest.my.server.com
<Location "/">
DAV svn
SVNPath /svn/repos
AuthName "Please Login"
AuthType Basic
AuthPAM_Enabled on
Require valid-user
</Location>
</VirtualHost>
That's everything I've modified. I can access the repository as
either the group user or as a non-group user. Both users are
authenticated through NIS, neither user is a member of a group
"group1" in /etc/passwd, SVN server is running Fedora Core 5. I want
to let the group user have all permissions and the non-group user be
unable to see the code. Can I even do this with NIS authentication,
or do I need to have a cron job dump the NIS table to a file for
subversion to use over svnserve?
Paranoia? No. I'm implementing this for a Comp. Sci professor, who
is very concerned about code theft/plagiarism among his students.
Thanks for any help you can give, I'm very stuck here.
-Travis
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: NIS and Group control
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Travis Love wrote:
> I have Apache configured to access the SVN repository through NIS.
> However, the NIS table has a number of users I don't want to access
> the repository. Is there any way for me to restrict access to that
> particular group?
>
> Any advice would be appreciated,
> Travis Love
Yes. Create an Apache group with a ".htgroup" fle, and put the people you
wnat to have access in that group.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org