You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Bradley Wagner <br...@hannonhill.com> on 2006/07/27 13:51:53 UTC
apache user invoking svn
I'm sure this is a FAQ, but I couldn't find this question either in
the SVN FAQ. Basically, which user is invoking the commands on the
repository when you access it via Apache? My repository is owned by
root and writable by my developer's group. The http user is
definitely not in the developer's group, so I'm trying to figure out
how it's able to write to the repository directory.
Ultimately, what I'm trying to do is disallow individual users from
running svnserve via svn+ssh:// in favor of going through http://. I
think I could accomplish this by changing the ownership of the
repository directory to be writable by root only assuming that apache
was invoking these commands as the root user.
Otherwise, I'll probably have to maange a different authz-db file for
the svnserve.conf that disallows access for everyone in addition to
the one I actually use for apache.
Thanks,
Bradley
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache user invoking svn
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Bradley Wagner wrote:
> I'm sure this is a FAQ, but I couldn't find this question either in
> the SVN FAQ. Basically, which user is invoking the commands on the
> repository when you access it via Apache? My repository is owned by
> root and writable by my developer's group. The http user is
> definitely not in the developer's group, so I'm trying to figure out
> how it's able to write to the repository directory.
The owner of the httpd daemon, typically "httpd" or "apache" or "www"
depending on your particular setup. It might be a really useful technique to
use a virtual server for SVN and use "AssignUserID svnserve", to keep
ownership consistent for any svnserve access.
> Ultimately, what I'm trying to do is disallow individual users from
> running svnserve via svn+ssh:// in favor of going through http://. I
> think I could accomplish this by changing the ownership of the
> repository directory to be writable by root only assuming that apache
> was invoking these commands as the root user.
You'll break anything that's already checked out from being checked back in,
until they do a "switch" command. But yes, you should be able to yank write
permissions for the svnserve user in svnserve.conf.
> Otherwise, I'll probably have to maange a different authz-db file for
> the svnserve.conf that disallows access for everyone in addition to
> the one I actually use for apache.
Well, yes. But I dislike the syntax and limited read/write/none access of
the svnserve.conf. Take a good look at svnperms.conf and svnperms.py,
seriously, and a matching pre-commit script. It works very well for
providing excellent resolution over read, add, update, and delete
capabilities as discrete settings.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache user invoking svn
Posted by Bradley Wagner <br...@hannonhill.com>.
On Jul 27, 2006, at 1:33 PM, Toby Johnson wrote:
> Nico Kadel-Garcia wrote:
>> Toby Johnson wrote:
>>> Bradley Wagner wrote:
>>>>
>>>>> svnserve.conf has no affect on Apache, are you running svnserve as
>>>>> well? If your goal is to ensure all access is via http only,
>>>>> all you
>>>>> need to do is make the repo directory owned by the Apache user,
>>>>> with
>>>>> +rwX permissions, and no permissions for group or others.
>>>>
>>>> yes, that is exactly my goal. I was wondering if there was any more
>>>> elegant way in svn to disable access via svn+ssh:// other than
>>>> changing the directory ownership to be only the user running
>>>> apache.
>>>> I think managing a separate authz_db file for svnserve.conf that
>>>> just
>>>> disables all access would probably be easiest. Though, will that
>>>> affect apache's ability to invoke svn? I guess I'm a little unclear
>>>> about the different mechanisms for invoking SVN.
>>>>
>>>> Bradley
>>> How is setting filesystem permissions inelegant? That's exactly what
>>> filesystem permissions are for. The problem is that the svn repo is
>>> just a bunch of files. If someone has access to those files, they
>>> could either access them directly using file://, or they could
>>> set up
>>> their own svnserve process or their own Apache process or whatever
>>> they want to to bypass whatever you might set in some configuration
>>> file.
>>> So the answer is no, there is no way to prevent svn+ssh access
>>> through a config file, because there is no way to force clients to
>>> even use your config file. If you want to prevent all access except
>>> via Apache, then using filesystem permissions is the only way to
>>> accomplish that.
>>
>> There's the pre-commit script and svnperms.conf and svnperms.py,
>> which works just fine.
>
> That's still just a ruse. If someone really wanted to they could
> bypass the pre-commit scripts, or overwrite them. My point is that
> unless you restrict filesystem permissions to just the users that
> have any business writing to those files directly, there's really
> no way to secure it.
>
> If you only want Apache reading/writing those files then only
> Apache should have filesystem permissions to do so, period. Unless
> I'm misunderstanding the problem, that is the issue he is trying to
> solve.
No, you're understanding it correctly and I think you're absolutely
right. Because a user logged on locally could still access the
repository using the file:// bypassing svnserve and the associated
svnserve.conf file all together. It makes sense that if I want to
only allow apache access that the user running the apache process be
the only ones with access to the file.
Thanks for taking the time to explain it.
Bradley
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache user invoking svn
Posted by Toby Johnson <to...@etjohnson.us>.
Nico Kadel-Garcia wrote:
> Toby Johnson wrote:
>> Bradley Wagner wrote:
>>>
>>>> svnserve.conf has no affect on Apache, are you running svnserve as
>>>> well? If your goal is to ensure all access is via http only, all you
>>>> need to do is make the repo directory owned by the Apache user, with
>>>> +rwX permissions, and no permissions for group or others.
>>>
>>> yes, that is exactly my goal. I was wondering if there was any more
>>> elegant way in svn to disable access via svn+ssh:// other than
>>> changing the directory ownership to be only the user running apache.
>>> I think managing a separate authz_db file for svnserve.conf that just
>>> disables all access would probably be easiest. Though, will that
>>> affect apache's ability to invoke svn? I guess I'm a little unclear
>>> about the different mechanisms for invoking SVN.
>>>
>>> Bradley
>> How is setting filesystem permissions inelegant? That's exactly what
>> filesystem permissions are for. The problem is that the svn repo is
>> just a bunch of files. If someone has access to those files, they
>> could either access them directly using file://, or they could set up
>> their own svnserve process or their own Apache process or whatever
>> they want to to bypass whatever you might set in some configuration
>> file.
>> So the answer is no, there is no way to prevent svn+ssh access
>> through a config file, because there is no way to force clients to
>> even use your config file. If you want to prevent all access except
>> via Apache, then using filesystem permissions is the only way to
>> accomplish that.
>
> There's the pre-commit script and svnperms.conf and svnperms.py, which
> works just fine.
That's still just a ruse. If someone really wanted to they could bypass
the pre-commit scripts, or overwrite them. My point is that unless you
restrict filesystem permissions to just the users that have any business
writing to those files directly, there's really no way to secure it.
If you only want Apache reading/writing those files then only Apache
should have filesystem permissions to do so, period. Unless I'm
misunderstanding the problem, that is the issue he is trying to solve.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache user invoking svn
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Toby Johnson wrote:
> Bradley Wagner wrote:
>>
>>> svnserve.conf has no affect on Apache, are you running svnserve as
>>> well? If your goal is to ensure all access is via http only, all you
>>> need to do is make the repo directory owned by the Apache user, with
>>> +rwX permissions, and no permissions for group or others.
>>
>> yes, that is exactly my goal. I was wondering if there was any more
>> elegant way in svn to disable access via svn+ssh:// other than
>> changing the directory ownership to be only the user running apache.
>> I think managing a separate authz_db file for svnserve.conf that just
>> disables all access would probably be easiest. Though, will that
>> affect apache's ability to invoke svn? I guess I'm a little unclear
>> about the different mechanisms for invoking SVN.
>>
>> Bradley
> How is setting filesystem permissions inelegant? That's exactly what
> filesystem permissions are for. The problem is that the svn repo is
> just a bunch of files. If someone has access to those files, they
> could either access them directly using file://, or they could set up
> their own svnserve process or their own Apache process or whatever
> they want to to bypass whatever you might set in some configuration
> file.
> So the answer is no, there is no way to prevent svn+ssh access
> through a config file, because there is no way to force clients to
> even use your config file. If you want to prevent all access except
> via Apache, then using filesystem permissions is the only way to
> accomplish that.
There's the pre-commit script and svnperms.conf and svnperms.py, which works
just fine.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache user invoking svn
Posted by Toby Johnson <to...@etjohnson.us>.
Bradley Wagner wrote:
>
>> svnserve.conf has no affect on Apache, are you running svnserve as
>> well? If your goal is to ensure all access is via http only, all you
>> need to do is make the repo directory owned by the Apache user, with
>> +rwX permissions, and no permissions for group or others.
>
> yes, that is exactly my goal. I was wondering if there was any more
> elegant way in svn to disable access via svn+ssh:// other than
> changing the directory ownership to be only the user running apache. I
> think managing a separate authz_db file for svnserve.conf that just
> disables all access would probably be easiest. Though, will that
> affect apache's ability to invoke svn? I guess I'm a little unclear
> about the different mechanisms for invoking SVN.
>
> Bradley
How is setting filesystem permissions inelegant? That's exactly what
filesystem permissions are for. The problem is that the svn repo is just
a bunch of files. If someone has access to those files, they could
either access them directly using file://, or they could set up their
own svnserve process or their own Apache process or whatever they want
to to bypass whatever you might set in some configuration file.
So the answer is no, there is no way to prevent svn+ssh access through a
config file, because there is no way to force clients to even use your
config file. If you want to prevent all access except via Apache, then
using filesystem permissions is the only way to accomplish that.
toby
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache user invoking svn
Posted by Bradley Wagner <br...@hannonhill.com>.
> svnserve.conf has no affect on Apache, are you running svnserve as
> well? If your goal is to ensure all access is via http only, all
> you need to do is make the repo directory owned by the Apache user,
> with +rwX permissions, and no permissions for group or others.
yes, that is exactly my goal. I was wondering if there was any more
elegant way in svn to disable access via svn+ssh:// other than
changing the directory ownership to be only the user running apache.
I think managing a separate authz_db file for svnserve.conf that just
disables all access would probably be easiest. Though, will that
affect apache's ability to invoke svn? I guess I'm a little unclear
about the different mechanisms for invoking SVN.
Bradley
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: apache user invoking svn
Posted by Toby Johnson <to...@etjohnson.us>.
Bradley Wagner wrote:
> I'm sure this is a FAQ, but I couldn't find this question either in
> the SVN FAQ. Basically, which user is invoking the commands on the
> repository when you access it via Apache? My repository is owned by
> root and writable by my developer's group. The http user is definitely
> not in the developer's group, so I'm trying to figure out how it's
> able to write to the repository directory.
There must be a problem with your permissions then, because whatever
user Apache runs as is the one used to access your local repo files.
> Ultimately, what I'm trying to do is disallow individual users from
> running svnserve via svn+ssh:// in favor of going through http://. I
> think I could accomplish this by changing the ownership of the
> repository directory to be writable by root only assuming that apache
> was invoking these commands as the root user.
You can certainly take write permissions away from the dev group (and
probably should) but the apache user still needs read/write permissions
(and execute permissions on directories).
> Otherwise, I'll probably have to maange a different authz-db file for
> the svnserve.conf that disallows access for everyone in addition to
> the one I actually use for apache.
svnserve.conf has no affect on Apache, are you running svnserve as well?
If your goal is to ensure all access is via http only, all you need to
do is make the repo directory owned by the Apache user, with +rwX
permissions, and no permissions for group or others.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org