You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Timothee Besset <tt...@idsoftware.com> on 2003/02/26 09:28:43 UTC
ra_svn permissions
As far as I'm concerned, I've aborted my attempts to move from ra_dav to
ra_svn. ra_svn may be faster, but I ran into too many permission issues.
The way I run ra_dav:
There is a system user and a group 'svn'. All the repository is owned rw
by svn:svn, directories are chmod g+s svn. Apache runs as svn/svn
obviously, and all is good.
Now if I try ra_svn over ssh:
I add my user to the svn group. When I run anything svn:// onto the
repository, permissions and ownership go crazy, usually ending up in a DB
error, and need to run svnadmin recovery + go through the repository to
set all ownerships and perms right again.
Do you have any suggestions on how I should proceed?
TTimo
On Wed, 26 Feb 2003 09:10:28 +0000
Colin Watson <cj...@flatline.org.uk> wrote:
> On Wed, Feb 26, 2003 at 01:40:28AM -0600, seanc@dimensionalrift.com wrote:
> > Would anyone be traumatized if I worked on a patch to ra_svn to allow
> > user-defined additional command line options to the svn-tunnel-agent as
> > used in ra_svn_open? I can coax plink/putty to fudge my user name with a
> > session (which is not the same between the two machines), but openssh in
> > cygwin requires "-l username" on the command line.
>
> While additional options would be a useful thing to have, I'm surprised
> you don't have ~/.ssh/config or some equivalent in cygwin ...
>
> --
> Colin Watson [cjwatson@flatline.org.uk]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ra_svn permissions
Posted by Ben Collins-Sussman <su...@collab.net>.
Timothee Besset <tt...@idsoftware.com> writes:
> Interesting (and freaking ugly).
>
> Where can I find dummy examples in perl/python/C whatever to do the
> svnserver wrapping and umask set?
We're talking about something really simple here:
$ mv /usr/local/bin/svnserve /usr/local/bin/svnserve-real
$ cat > /usr/local/bin/svnserve
#!/bin/sh
umask 002
/usr/local/bin/svnserve-real $*
^D
$ chmod +x /usr/local/bin/svnserve
...catch my drift?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ra_svn permissions
Posted by Greg Hudson <gh...@MIT.EDU>.
On Wed, 2003-02-26 at 12:48, Philip Martin wrote:
> I don't understand. The directory sticky bit controls who can delete
> a directory entry, with +s only the entry owner can delete it (and it
> only works on some systems). How does that help?
g+s is the setgid bit, not the sticky bit. Making a directory setgid
ensures that group ownership is inherited from that directory when new
files and directories are created inside it. (On some systems, notably
the *BSDs, this inheritance is the default regardless of the setgid bit;
on others, notably Linux, group ownership of new inodes defaults to the
primary group of the creator unless the setgid bit is present on the
parent directory.)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ra_svn permissions
Posted by Philip Martin <ph...@codematters.co.uk>.
Greg Hudson <gh...@MIT.EDU> writes:
> It would be more social of us if we could remove the umask requirement.
> Unfortunately, that means hacking (or discarding) Berkeley DB. BDB
> needs to chmod logfiles after creating them to match the permissions of
> the database.
If BDB can be modified in some reasonable way we should submit a patch
to Sleepycat Software. Then we wait for the next release and the
problem is solved :)
> As long as the parent directory is g+s, everything should
> work out.
I don't understand. The directory sticky bit controls who can delete
a directory entry, with +s only the entry owner can delete it (and it
only works on some systems). How does that help?
--
Philip Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ra_svn permissions
Posted by Greg Hudson <gh...@MIT.EDU>.
On Wed, 2003-02-26 at 09:03, Timothee Besset wrote:
> I think it would be better if those umaks things could be configured in
> httpd conf and in svnserve directly though. A configuration line is
> easier that wrappers everywhere..
Well, sure. And when svnserve gets a config file (anyone can feel free
to jump in with that, see issue #1143), a umask option would be fine
there.
Apache is a tougher issue. An httpd might be performing many tasks,
each with their own umask requirements. But Apache has a plugin model
(a single httpd process may perform many different functions, possibly
even at the same time, as I understand it), and the umask is
process-global state, so the first conflict between umask requirements
is a dead end for the administrator. Or worse, a security hole.
It would be more social of us if we could remove the umask requirement.
Unfortunately, that means hacking (or discarding) Berkeley DB. BDB
needs to chmod logfiles after creating them to match the permissions of
the database. As long as the parent directory is g+s, everything should
work out.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ra_svn permissions
Posted by Timothee Besset <tt...@idsoftware.com>.
Interesting (and freaking ugly).
Where can I find dummy examples in perl/python/C whatever to do the
svnserver wrapping and umask set?
I think it would be better if those umaks things could be configured in
httpd conf and in svnserve directly though. A configuration line is
easier that wrappers everywhere..
TTimo
Ben Collins-Sussman wrote:
>Timothee Besset <tt...@idsoftware.com> writes:
>
>
>
>>Now if I try ra_svn over ssh:
>>
>>I add my user to the svn group. When I run anything svn:// onto the
>>repository, permissions and ownership go crazy, usually ending up in a DB
>>error, and need to run svnadmin recovery + go through the repository to
>>set all ownerships and perms right again.
>>
>>Do you have any suggestions on how I should proceed?
>>
>>
>
>We just added a section on this in the svn book, take a look:
>
> http://svnbook.red-bean.com/book.html#svn-ch-5-sect-5
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ra_svn permissions
Posted by Ben Collins-Sussman <su...@collab.net>.
Timothee Besset <tt...@idsoftware.com> writes:
> Now if I try ra_svn over ssh:
>
> I add my user to the svn group. When I run anything svn:// onto the
> repository, permissions and ownership go crazy, usually ending up in a DB
> error, and need to run svnadmin recovery + go through the repository to
> set all ownerships and perms right again.
>
> Do you have any suggestions on how I should proceed?
We just added a section on this in the svn book, take a look:
http://svnbook.red-bean.com/book.html#svn-ch-5-sect-5
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ra_svn permissions
Posted by Timothee Besset <tt...@idsoftware.com>.
Yeah that's my setup, everything owned by svn:svn, all files 660 (i.e.
user and group rw), + chmod g+s. But yet things go completely nuts when I
attempt an ra_svn operation
TTimo
On Wed, 26 Feb 2003 03:42:47 -0600 (CST)
seanc@dimensionalrift.com wrote:
> I noticed I had to chmod -R g+w the repositoru as well as doing a g+s on
> it, and this is described a bit in one of my earlier posts. It seems the
> Berkeley DB is a bit wimpy when it comes to ignoring attribute bits on
> files it actually has ownership of.
>
> > As far as I'm concerned, I've aborted my attempts to move from ra_dav to
> > ra_svn. ra_svn may be faster, but I ran into too many permission issues.
> >
> > The way I run ra_dav:
> >
> > There is a system user and a group 'svn'. All the repository is owned rw
> > by svn:svn, directories are chmod g+s svn. Apache runs as svn/svn
> > obviously, and all is good.
> >
> > Now if I try ra_svn over ssh:
> >
> > I add my user to the svn group. When I run anything svn:// onto the
> > repository, permissions and ownership go crazy, usually ending up in a DB
> > error, and need to run svnadmin recovery + go through the repository to
> > set all ownerships and perms right again.
> >
> > Do you have any suggestions on how I should proceed?
> >
> > TTimo
> >
> > On Wed, 26 Feb 2003 09:10:28 +0000
> > Colin Watson <cj...@flatline.org.uk> wrote:
> >
> >> On Wed, Feb 26, 2003 at 01:40:28AM -0600, seanc@dimensionalrift.com
> >> wrote:
> >> > Would anyone be traumatized if I worked on a patch to ra_svn to allow
> >> > user-defined additional command line options to the svn-tunnel-agent
> >> as
> >> > used in ra_svn_open? I can coax plink/putty to fudge my user name
> >> with a
> >> > session (which is not the same between the two machines), but openssh
> >> in
> >> > cygwin requires "-l username" on the command line.
> >>
> >> While additional options would be a useful thing to have, I'm surprised
> >> you don't have ~/.ssh/config or some equivalent in cygwin ...
> >>
> >> --
> >> Colin Watson [cjwatson@flatline.org.uk]
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> >> For additional commands, e-mail: dev-help@subversion.tigris.org
> >>
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: dev-help@subversion.tigris.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: ra_svn permissions
Posted by se...@dimensionalrift.com.
I noticed I had to chmod -R g+w the repositoru as well as doing a g+s on
it, and this is described a bit in one of my earlier posts. It seems the
Berkeley DB is a bit wimpy when it comes to ignoring attribute bits on
files it actually has ownership of.
> As far as I'm concerned, I've aborted my attempts to move from ra_dav to
> ra_svn. ra_svn may be faster, but I ran into too many permission issues.
>
> The way I run ra_dav:
>
> There is a system user and a group 'svn'. All the repository is owned rw
> by svn:svn, directories are chmod g+s svn. Apache runs as svn/svn
> obviously, and all is good.
>
> Now if I try ra_svn over ssh:
>
> I add my user to the svn group. When I run anything svn:// onto the
> repository, permissions and ownership go crazy, usually ending up in a DB
> error, and need to run svnadmin recovery + go through the repository to
> set all ownerships and perms right again.
>
> Do you have any suggestions on how I should proceed?
>
> TTimo
>
> On Wed, 26 Feb 2003 09:10:28 +0000
> Colin Watson <cj...@flatline.org.uk> wrote:
>
>> On Wed, Feb 26, 2003 at 01:40:28AM -0600, seanc@dimensionalrift.com
>> wrote:
>> > Would anyone be traumatized if I worked on a patch to ra_svn to allow
>> > user-defined additional command line options to the svn-tunnel-agent
>> as
>> > used in ra_svn_open? I can coax plink/putty to fudge my user name
>> with a
>> > session (which is not the same between the two machines), but openssh
>> in
>> > cygwin requires "-l username" on the command line.
>>
>> While additional options would be a useful thing to have, I'm surprised
>> you don't have ~/.ssh/config or some equivalent in cygwin ...
>>
>> --
>> Colin Watson [cjwatson@flatline.org.uk]
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: dev-help@subversion.tigris.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org