NIS and Group control

[Travis Love <dr...@gmail.com>]

I have Apache configured to access the SVN repository through NIS.
However, the NIS table has a number of users I don't want to access
the repository.  Is there any way for me to restrict access to that
particular group?

Any advice would be appreciated,
Travis Love

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: NIS and Group control

[Travis Love <dr...@gmail.com>]

This functions very well.  that command is tested and correct.  Thank
you very much, you've been a great help.

Also, because that uses groups, I don't have to cron job it, just run
it whenever there's a change in group membership (which should be
rare, given my current deployment.)

Thanks a lot,
Travis

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: NIS and Group control

[Duane Griffin <d....@psenterprise.com>]

On Thu, 2006-07-27 at 16:17 -0400, Travis Love wrote:
> Once more, I promise.  I've done everything, and it seems there are
> still some tweaks that need doing that haven't been documented, so
> once more.  svnperms.conf is in /svn/repos/conf, svnperms.py and
> pre-commit are in /svn/repos/hooks.  This is what they look like:
[snip]

The pre-commit hook won't help you prevent people from viewing the
repository. Nor will any other type of hook, I'm afraid. As far as I
know the best approach is to use the NIS for authentication and authz
for access control (and yes, this will involve a cron job). You've
already got apache configured to use NIS through PAM, so that part is
fine. Now you need to setup authz access control:

...
LoadModule authz_svn_module modules/mod_authz_svn.so
...
<Location /repo>
  ...
  AuthzSVNAccessFile /var/svn/repo/conf/passwd
  ...
</Location>

Create the access-control file from a cron job with something like this:

ypcat group | awk -F : 'BEGIN {print "[/]\n* =\n@reviewers = r\n@writers
= rw\n\n[groups]"} {print $1, "=", $4}' > /var/svn/repo/conf/passwd

(Note: eyeball tested only!)

If it is possible to configure apache to do the access-control based on
the user's group that would be preferable, but I can't help with that.
The setup I've described is similar to what we use here, so I know it
works in principle.

> That's everything I've modified.  I can access the repository as
> either the group user or as a non-group user.  Both users are
> authenticated through NIS, neither user is a member of a group
> "group1" in /etc/passwd, SVN server is running Fedora Core 5.  I want
> to let the group user have all permissions and the non-group user be
> unable to see the code.  Can I even do this with NIS authentication,
> or do I need to have a cron job dump the NIS table to a file for
> subversion to use over svnserve?
> 
> Paranoia?  No.  I'm implementing this for a Comp. Sci professor, who
> is very concerned about code theft/plagiarism among his students.
> 
> Thanks for any help you can give, I'm very stuck here.
> -Travis

Hope this helps!

Cheers, 
Duane.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: NIS and Group control

[Travis Love <dr...@gmail.com>]

Once more, I promise.  I've done everything, and it seems there are
still some tweaks that need doing that haven't been documented, so
once more.  svnperms.conf is in /svn/repos/conf, svnperms.py and
pre-commit are in /svn/repos/hooks.  This is what they look like:

--svnperms.conf--
[groups]
group1 = tlove2

--svnperms.py--
[Ripped straight from subversion source.  Do modifications need to be made?]

--pre-commit--
[Template, only with]
svnperms.py -r "$REPOS" -t "$TXN" || exit 1
[instead of the other two "exit 1" lines]

httpd.conf looks like:
<VirtualHost *>
DocumentRoot "/svn/repos"
ServerName svntest.my.server.com
<Location "/">
DAV svn
SVNPath /svn/repos
AuthName "Please Login"
AuthType Basic
AuthPAM_Enabled on
Require valid-user
</Location>
</VirtualHost>

That's everything I've modified.  I can access the repository as
either the group user or as a non-group user.  Both users are
authenticated through NIS, neither user is a member of a group
"group1" in /etc/passwd, SVN server is running Fedora Core 5.  I want
to let the group user have all permissions and the non-group user be
unable to see the code.  Can I even do this with NIS authentication,
or do I need to have a cron job dump the NIS table to a file for
subversion to use over svnserve?

Paranoia?  No.  I'm implementing this for a Comp. Sci professor, who
is very concerned about code theft/plagiarism among his students.

Thanks for any help you can give, I'm very stuck here.
-Travis

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: NIS and Group control

[Nico Kadel-Garcia <nk...@comcast.net>]

Travis Love wrote:
> I have Apache configured to access the SVN repository through NIS.
> However, the NIS table has a number of users I don't want to access
> the repository.  Is there any way for me to restrict access to that
> particular group?
>
> Any advice would be appreciated,
> Travis Love

Yes. Create an Apache group with a ".htgroup" fle, and put the people you 
wnat to have access in that group. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org