You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by John Biddiscombe <bi...@cscs.ch> on 2006/05/03 13:17:31 UTC
user management with no root access
Hello,
I have asked our sysadmins to setup a server for svn which they have
done using an apache interface. I have a repository working with a
project inside it.
I now need to create about half a dozen new projects, each with
different user access rights, some public, some open to certain users,
some a combination of either.
I have asked the sysdmins to setup things, but they are not experienced
svn users and neither am I, also they just don't have time to help me
out. I can't wait for them and would like to set things up myself, but I
have no "privileges" and can't change users, repository locations etc in
the apache configurations.
Is there some way that the admins can allow me to create
projects/repositories/users and change access rights etc without me
being a root user and without allowing me to break the entire system (I
am not an admin and am quite likely to break stuff initially until I
have learned the ropes).
Is there FAQ of some kind that can help me. I've read the svn book, but
need more help.
many thanks
JB
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: user management with no root access
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Kent Borg wrote:
> On Wed, May 03, 2006 at 03:17:31PM +0200, John Biddiscombe wrote:
>> Is there some way that the admins can allow me to create
>> projects/repositories/users and change access rights etc without me
>> being a root user and without allowing me to break the entire system
>> (I am not an admin and am quite likely to break stuff initially
>> until I have learned the ropes).
>
> I suggest you don't experiment on a real server that is serving real
> stuff. Install subversion on a separate box that no one else is
> depending on, do your "break stuff initially"-learning there. Once
> you learn the ropes you will be in a position to make concise requests
> of your local admins, for exactly what you need--I bet they will be
> more patient at that point.
Or run it in a separate directory, to avoid conflicts.
I rather like the svnperms.conf/svnperms.py in a pre-commit hook to control
read, add, and update access to directories or files..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: user management with no root access
Posted by Kent Borg <ke...@borg.org>.
On Wed, May 03, 2006 at 03:17:31PM +0200, John Biddiscombe wrote:
> Is there some way that the admins can allow me to create
> projects/repositories/users and change access rights etc without me
> being a root user and without allowing me to break the entire system (I
> am not an admin and am quite likely to break stuff initially until I
> have learned the ropes).
I suggest you don't experiment on a real server that is serving real
stuff. Install subversion on a separate box that no one else is
depending on, do your "break stuff initially"-learning there. Once
you learn the ropes you will be in a position to make concise requests
of your local admins, for exactly what you need--I bet they will be
more patient at that point.
-kb
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: user management with no root access
Posted by Andy Levy <an...@gmail.com>.
On 5/3/06, John Biddiscombe <bi...@cscs.ch> wrote:
> I have asked our sysadmins to setup a server for svn which they have
> done using an apache interface. I have a repository working with a
> project inside it.
>
> I now need to create about half a dozen new projects, each with
> different user access rights, some public, some open to certain users,
> some a combination of either.
>
> I have asked the sysdmins to setup things, but they are not experienced
> svn users and neither am I, also they just don't have time to help me
> out. I can't wait for them and would like to set things up myself, but I
> have no "privileges" and can't change users, repository locations etc in
> the apache configurations.
>
> Is there some way that the admins can allow me to create
> projects/repositories/users and change access rights etc without me
> being a root user and without allowing me to break the entire system (I
> am not an admin and am quite likely to break stuff initially until I
> have learned the ropes).
>
> Is there FAQ of some kind that can help me. I've read the svn book, but
> need more help.
This really isn't an SVN question so much as a general system admin
(for whichever OS you're using) question.
For the SVN config file, they should be able to assign you to a group,
and then give that group write permission on the file. This is pretty
trivial. For the Apache config (which really, you shouldn't need to
modify much once it's set up), they can do the same, but they'd also
need to grant you rights to restart apache. On UNIX/Linux, sudo is
made for just this sort of situation. Note that you do not need to
restart Apache when editing your subversion config file - changes take
effect immediately.
I'd also recommend that you create your own SVN environment that
mimics your "live" one, at least as far as configuration goes, on your
own workstation. That way you can test configurations out and then
send the admins the changes to apply to the real server (assuming they
can't do the above) and get it "right" the first time where it counts.
The server admin won't need to know SVN at all, they just have to
apply the changes you give them to the files you specify. This is how
I'm set up.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: user management with no root access
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Rainer Sokoll wrote:
> On Wed, May 03, 2006 at 03:17:31PM +0200, John Biddiscombe wrote:
>
>> Is there some way that the admins can allow me to create
>> projects/repositories/users and change access rights etc without me
>> being a root user and without allowing me to break the entire system
>
> First of all: Apache should /never/ run as root, so for configuring
> apache there are no root privileges needed.
> For the user management I use this (short to give you just an idea):
Please rethink this. For a number of obvious security reasons, Apache
configurations files are normally used, and because Apache normally runs on
the privileged ports 80 and 443, it needs to be *STARTED* by root. Once the
ports are opened up, then the daemons are forked off and they are owned by
"apache" or "www" or some similar account.
> in httpd.conf:
> <Location /it/>
> Include conf/subversion.conf
> SVNParentPath /svn/svn/it
> AuthzSVNAccessFile conf/svnaccess/svnaccess.it
> AuthName "Access to IT area"
> </Location>
>
> In svnaccess.it, I have (among other things):
> [jsubversion01:/]
> @it = rw
> [jsubversion01:/svnaccess.ics]
> tsenger = rw
>
> In the it repository, I have a post-commit hook:
> cd /usr/local/httpd-ssl-2.0.58/conf/svnaccess && \
> /usr/local/subversion-with-ssl-1.3.1/bin/svn up
> file:///svn/svn/it/jsubversion01/ .
>
> So, /usr/local/httpd-ssl-2.0.58/conf/svnaccess is a wc for the
> repository [jsubversion01:/].
> Every member of the group it has been granted full access to
> /usr/local/httpd-ssl-2.0.58/conf/svnaccess, and the user tsenger has
> only access to
> /usr/local/httpd-ssl-2.0.58/conf/svnaccess/svnaccess.ics.
> Since changes on these files take effect without restarting apache, I
> can control acces to svn by using svn itself :-)
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: user management with no root access
Posted by Rainer Sokoll <R....@intershop.de>.
On Wed, May 03, 2006 at 03:17:31PM +0200, John Biddiscombe wrote:
> Is there some way that the admins can allow me to create
> projects/repositories/users and change access rights etc without me
> being a root user and without allowing me to break the entire system
First of all: Apache should /never/ run as root, so for configuring
apache there are no root privileges needed.
For the user management I use this (short to give you just an idea):
in httpd.conf:
<Location /it/>
Include conf/subversion.conf
SVNParentPath /svn/svn/it
AuthzSVNAccessFile conf/svnaccess/svnaccess.it
AuthName "Access to IT area"
</Location>
In svnaccess.it, I have (among other things):
[jsubversion01:/]
@it = rw
[jsubversion01:/svnaccess.ics]
tsenger = rw
In the it repository, I have a post-commit hook:
cd /usr/local/httpd-ssl-2.0.58/conf/svnaccess && \
/usr/local/subversion-with-ssl-1.3.1/bin/svn up file:///svn/svn/it/jsubversion01/ .
So, /usr/local/httpd-ssl-2.0.58/conf/svnaccess is a wc for the
repository [jsubversion01:/].
Every member of the group it has been granted full access to
/usr/local/httpd-ssl-2.0.58/conf/svnaccess, and the user tsenger has
only access to /usr/local/httpd-ssl-2.0.58/conf/svnaccess/svnaccess.ics.
Since changes on these files take effect without restarting apache, I
can control acces to svn by using svn itself :-)
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org