apache user invoking svn

[Bradley Wagner <br...@hannonhill.com>]

I'm sure this is a FAQ, but I couldn't find this question either in  
the SVN FAQ. Basically, which user is invoking the commands on the  
repository when you access it via Apache? My repository is owned by  
root and writable by my developer's group. The http user is  
definitely not in the developer's group, so I'm trying to figure out  
how it's able to write to the repository directory.

Ultimately, what I'm trying to do is disallow individual users from  
running svnserve via svn+ssh:// in favor of going through http://. I  
think I could accomplish this by changing the ownership of the  
repository directory to be writable by root only assuming that apache  
was invoking these commands as the root user.

Otherwise, I'll probably have to maange a different authz-db file for  
the svnserve.conf that disallows access for everyone in addition to  
the one I actually use for apache.

Thanks,
Bradley

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: apache user invoking svn

[Nico Kadel-Garcia <nk...@comcast.net>]

Bradley Wagner wrote:
> I'm sure this is a FAQ, but I couldn't find this question either in
> the SVN FAQ. Basically, which user is invoking the commands on the
> repository when you access it via Apache? My repository is owned by
> root and writable by my developer's group. The http user is
> definitely not in the developer's group, so I'm trying to figure out
> how it's able to write to the repository directory.

The owner of the httpd daemon, typically "httpd" or "apache" or "www" 
depending on your particular setup. It might be a really useful technique to 
use a virtual server for SVN and use "AssignUserID svnserve", to keep 
ownership consistent for any svnserve access.

> Ultimately, what I'm trying to do is disallow individual users from
> running svnserve via svn+ssh:// in favor of going through http://. I
> think I could accomplish this by changing the ownership of the
> repository directory to be writable by root only assuming that apache
> was invoking these commands as the root user.

You'll break anything that's already checked out from being checked back in, 
until they do a "switch" command. But yes, you should be able to yank write 
permissions for the svnserve user in svnserve.conf.

> Otherwise, I'll probably have to maange a different authz-db file for
> the svnserve.conf that disallows access for everyone in addition to
> the one I actually use for apache.

Well, yes. But I dislike the syntax and limited read/write/none access of 
the svnserve.conf. Take a good look at svnperms.conf and svnperms.py, 
seriously, and a matching pre-commit script. It works very well for 
providing excellent resolution over read, add, update, and delete 
capabilities as discrete settings. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: apache user invoking svn

[Bradley Wagner <br...@hannonhill.com>]

On Jul 27, 2006, at 1:33 PM, Toby Johnson wrote:

> Nico Kadel-Garcia wrote:
>> Toby Johnson wrote:
>>> Bradley Wagner wrote:
>>>>
>>>>> svnserve.conf has no affect on Apache, are you running svnserve as
>>>>> well? If your goal is to ensure all access is via http only,  
>>>>> all you
>>>>> need to do is make the repo directory owned by the Apache user,  
>>>>> with
>>>>> +rwX permissions, and no permissions for group or others.
>>>>
>>>> yes, that is exactly my goal. I was wondering if there was any more
>>>> elegant way in svn to disable access via svn+ssh:// other than
>>>> changing the directory ownership to be only the user running  
>>>> apache.
>>>> I think managing a separate authz_db file for svnserve.conf that  
>>>> just
>>>> disables all access would probably be easiest. Though, will that
>>>> affect apache's ability to invoke svn? I guess I'm a little unclear
>>>> about the different mechanisms for invoking SVN.
>>>>
>>>> Bradley
>>> How is setting filesystem permissions inelegant? That's exactly what
>>> filesystem permissions are for. The problem is that the svn repo is
>>> just a bunch of files. If someone has access to those files, they
>>> could either access them directly using file://, or they could  
>>> set up
>>> their own svnserve process or their own Apache process or whatever
>>> they want to to bypass whatever you might set in some configuration
>>> file.
>>> So the answer is no, there is no way to prevent svn+ssh access
>>> through a config file, because there is no way to force clients to
>>> even use your config file. If you want to prevent all access except
>>> via Apache, then using filesystem permissions is the only way to
>>> accomplish that.
>>
>> There's the pre-commit script and svnperms.conf and svnperms.py,  
>> which works just fine.
>
> That's still just a ruse. If someone really wanted to they could  
> bypass the pre-commit scripts, or overwrite them. My point is that  
> unless you restrict filesystem permissions to just the users that  
> have any business writing to those files directly, there's really  
> no way to secure it.
>
> If you only want Apache reading/writing those files then only  
> Apache should have filesystem permissions to do so, period. Unless  
> I'm misunderstanding the problem, that is the issue he is trying to  
> solve.


No, you're understanding it correctly and I think you're absolutely  
right. Because a user logged on locally could still access the  
repository using the file://  bypassing svnserve and the associated  
svnserve.conf file all together. It makes sense that if I want to  
only allow apache access that the user running the apache process be  
the only ones with access to the file.

Thanks for taking the time to explain it.

Bradley

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: apache user invoking svn

[Toby Johnson <to...@etjohnson.us>]

Nico Kadel-Garcia wrote:
> Toby Johnson wrote:
>> Bradley Wagner wrote:
>>>
>>>> svnserve.conf has no affect on Apache, are you running svnserve as
>>>> well? If your goal is to ensure all access is via http only, all you
>>>> need to do is make the repo directory owned by the Apache user, with
>>>> +rwX permissions, and no permissions for group or others.
>>>
>>> yes, that is exactly my goal. I was wondering if there was any more
>>> elegant way in svn to disable access via svn+ssh:// other than
>>> changing the directory ownership to be only the user running apache.
>>> I think managing a separate authz_db file for svnserve.conf that just
>>> disables all access would probably be easiest. Though, will that
>>> affect apache's ability to invoke svn? I guess I'm a little unclear
>>> about the different mechanisms for invoking SVN.
>>>
>>> Bradley
>> How is setting filesystem permissions inelegant? That's exactly what
>> filesystem permissions are for. The problem is that the svn repo is
>> just a bunch of files. If someone has access to those files, they
>> could either access them directly using file://, or they could set up
>> their own svnserve process or their own Apache process or whatever
>> they want to to bypass whatever you might set in some configuration
>> file.
>> So the answer is no, there is no way to prevent svn+ssh access
>> through a config file, because there is no way to force clients to
>> even use your config file. If you want to prevent all access except
>> via Apache, then using filesystem permissions is the only way to
>> accomplish that.
>
> There's the pre-commit script and svnperms.conf and svnperms.py, which 
> works just fine. 

That's still just a ruse. If someone really wanted to they could bypass 
the pre-commit scripts, or overwrite them. My point is that unless you 
restrict filesystem permissions to just the users that have any business 
writing to those files directly, there's really no way to secure it.

If you only want Apache reading/writing those files then only Apache 
should have filesystem permissions to do so, period. Unless I'm 
misunderstanding the problem, that is the issue he is trying to solve.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: apache user invoking svn

[Nico Kadel-Garcia <nk...@comcast.net>]

Toby Johnson wrote:
> Bradley Wagner wrote:
>>
>>> svnserve.conf has no affect on Apache, are you running svnserve as
>>> well? If your goal is to ensure all access is via http only, all you
>>> need to do is make the repo directory owned by the Apache user, with
>>> +rwX permissions, and no permissions for group or others.
>>
>> yes, that is exactly my goal. I was wondering if there was any more
>> elegant way in svn to disable access via svn+ssh:// other than
>> changing the directory ownership to be only the user running apache.
>> I think managing a separate authz_db file for svnserve.conf that just
>> disables all access would probably be easiest. Though, will that
>> affect apache's ability to invoke svn? I guess I'm a little unclear
>> about the different mechanisms for invoking SVN.
>>
>> Bradley
> How is setting filesystem permissions inelegant? That's exactly what
> filesystem permissions are for. The problem is that the svn repo is
> just a bunch of files. If someone has access to those files, they
> could either access them directly using file://, or they could set up
> their own svnserve process or their own Apache process or whatever
> they want to to bypass whatever you might set in some configuration
> file.
> So the answer is no, there is no way to prevent svn+ssh access
> through a config file, because there is no way to force clients to
> even use your config file. If you want to prevent all access except
> via Apache, then using filesystem permissions is the only way to
> accomplish that.

There's the pre-commit script and svnperms.conf and svnperms.py, which works 
just fine. 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: apache user invoking svn

[Toby Johnson <to...@etjohnson.us>]

Bradley Wagner wrote:
>
>> svnserve.conf has no affect on Apache, are you running svnserve as 
>> well? If your goal is to ensure all access is via http only, all you 
>> need to do is make the repo directory owned by the Apache user, with 
>> +rwX permissions, and no permissions for group or others.
>
> yes, that is exactly my goal. I was wondering if there was any more 
> elegant way in svn to disable access via svn+ssh:// other than 
> changing the directory ownership to be only the user running apache. I 
> think managing a separate authz_db file for svnserve.conf that just 
> disables all access would probably be easiest. Though, will that 
> affect apache's ability to invoke svn? I guess I'm a little unclear 
> about the different mechanisms for invoking SVN.
>
> Bradley
How is setting filesystem permissions inelegant? That's exactly what 
filesystem permissions are for. The problem is that the svn repo is just 
a bunch of files. If someone has access to those files, they could 
either access them directly using file://, or they could set up their 
own svnserve process or their own Apache process or whatever they want 
to to bypass whatever you might set in some configuration file.

So the answer is no, there is no way to prevent svn+ssh access through a 
config file, because there is no way to force clients to even use your 
config file. If you want to prevent all access except via Apache, then 
using filesystem permissions is the only way to accomplish that.

toby

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: apache user invoking svn

[Bradley Wagner <br...@hannonhill.com>]

> svnserve.conf has no affect on Apache, are you running svnserve as  
> well? If your goal is to ensure all access is via http only, all  
> you need to do is make the repo directory owned by the Apache user,  
> with +rwX permissions, and no permissions for group or others.

yes, that is exactly my goal. I was wondering if there was any more  
elegant way in svn to disable access via svn+ssh:// other than  
changing the directory ownership to be only the user running apache.  
I think managing a separate authz_db file for svnserve.conf that just  
disables all access would probably be easiest. Though, will that  
affect apache's ability to invoke svn? I guess I'm a little unclear  
about the different mechanisms for invoking SVN.

Bradley

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: apache user invoking svn

[Toby Johnson <to...@etjohnson.us>]

Bradley Wagner wrote:
> I'm sure this is a FAQ, but I couldn't find this question either in 
> the SVN FAQ. Basically, which user is invoking the commands on the 
> repository when you access it via Apache? My repository is owned by 
> root and writable by my developer's group. The http user is definitely 
> not in the developer's group, so I'm trying to figure out how it's 
> able to write to the repository directory.

There must be a problem with your permissions then, because whatever 
user Apache runs as is the one used to access your local repo files.

> Ultimately, what I'm trying to do is disallow individual users from 
> running svnserve via svn+ssh:// in favor of going through http://. I 
> think I could accomplish this by changing the ownership of the 
> repository directory to be writable by root only assuming that apache 
> was invoking these commands as the root user.

You can certainly take write permissions away from the dev group (and 
probably should) but the apache user still needs read/write permissions 
(and execute permissions on directories).

> Otherwise, I'll probably have to maange a different authz-db file for 
> the svnserve.conf that disallows access for everyone in addition to 
> the one I actually use for apache.

svnserve.conf has no affect on Apache, are you running svnserve as well? 
If your goal is to ensure all access is via http only, all you need to 
do is make the repo directory owned by the Apache user, with +rwX 
permissions, and no permissions for group or others.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org