You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Wade Williams <wa...@mac.com> on 2004/04/27 15:35:11 UTC
svnserve -r not working?
I'm using 1.02 and I'm sure I'm doing something stupid.
My repository was created with:
bravado:wade {101} svnadmin create /home/svnroot/trdev
You can see that svnserve is running with -r:
bravado:wade {102} ps -auxww | grep svn
wade 5864 0.0 0.3 144 352 p0 S+ 10:28AM 0:00.01 grep
svn
wade 17623 0.0 0.4 96 572 ?? Is 10:56PM 0:00.00
svnserve -d -r /home/svnroot
but when I try to checkout with another machine, I have to specify the
full path:
[dreamline:~] wade% svn co svn+ssh://10.11.11.20/trdev
svn: No repository found in 'svn+ssh://10.11.11.20/trdev'
[dreamline:~] wade% svn co svn+ssh://10.11.11.20/home/svnroot/trdev
A trdev/tr.mod
A trdev/tr
A trdev/tr/planes
Any thoughts?
Thanks,
Wade
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve -r not working?
Posted by Dimitri Papadopoulos-Orfanos <pa...@shfj.cea.fr>.
Hi,
> You're aware that you can use svnserve without ssh, right? That you can
> create svnserve "accounts" which aren't shell accounts, just like
> apache's own "accounts"?
I could do that, but as far as I understand that wouldn't be wise from a
security point of view.
--
Dimitri
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve -r not working?
Posted by Ben Collins-Sussman <su...@collab.net>.
Dimitri Papadopoulos-Orfanos wrote:
> That's one of the reasons that convinced me using Apache is a better
> solution than svnserve + SSH [...]
>
> Another reason was that I'd rather not give shell access to all
> Subversion users.
You're aware that you can use svnserve without ssh, right? That you can
create svnserve "accounts" which aren't shell accounts, just like
apache's own "accounts"?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve -r not working?
Posted by Dimitri Papadopoulos-Orfanos <pa...@shfj.cea.fr>.
Hi,
Thank you for your prompt answer.
> As I believe I noted in the message you replied to, there are some
> changes in the trunk which will make this better someday. In essence,
> the changes permit all svn+ssh:// access via a single user account, but
> in a way that maintains the AUTHOR field (you can do it now but all
> commits would be from the same user).
In my case it's not matter of limiting the number of accounts, rather
it's a matter of limiting what each of these accounts can do.
>> Since in the Subversion case SSH has to spawn its own svnserve
>> instance, is there any other way to constrain Subversion users to run
>> svnserve and nothing else? I guess one should use a constrained shell,
>> but I have no experience with that. Does anyone have some
>> recipe/shell/script to share?
>
>
> If you don't mind setting them up as individual users, you can actually
> force the ssh connection to execute an application when connecting (it's
> part of the authorized_keys stanza). It's actually part of how the
That's much better, but as far as I can understand that works only when
using public key authentication. Using password authentication bypasses
authorized_keys.
> patch I mention above works. See this thread for:
>
> http://www.contactor.se/~dast/svn/archive-2004-02/0220.shtml
>
> especially the first message cited above which shows the use of
> 'command=' in the authorized_keys file.
I'd rather constrain the shell than constraining each authentication
method separately.
--
Dimitri
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve -r not working?
Posted by John Peacock <jp...@rowman.com>.
Dimitri Papadopoulos-Orfanos wrote:
> Another reason was that I'd rather not give shell access to all
> Subversion users.
As I believe I noted in the message you replied to, there are some changes in
the trunk which will make this better someday. In essence, the changes permit
all svn+ssh:// access via a single user account, but in a way that maintains the
AUTHOR field (you can do it now but all commits would be from the same user).
>
> Since in the Subversion case SSH has to spawn its own svnserve instance,
> is there any other way to constrain Subversion users to run svnserve and
> nothing else? I guess one should use a constrained shell, but I have no
> experience with that. Does anyone have some recipe/shell/script to share?
If you don't mind setting them up as individual users, you can actually force
the ssh connection to execute an application when connecting (it's part of the
authorized_keys stanza). It's actually part of how the patch I mention above
works. See this thread for:
http://www.contactor.se/~dast/svn/archive-2004-02/0220.shtml
especially the first message cited above which shows the use of 'command=' in
the authorized_keys file.
HTH
John
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve -r not working?
Posted by Dimitri Papadopoulos-Orfanos <pa...@shfj.cea.fr>.
Hi,
> svn+ssh:// spawns a custom svnserve instance for each connection; it is
> much more closely related to using file:// from a local account. It
> doesn't attach to the svnserve instance you started above. See this for
> more details:
>
> http://svnbook.red-bean.com/svnbook/ch06s03.html#svn-ch-6-sect-3.3
>
> especially the second paragraph after the example code.
That's one of the reasons that convinced me using Apache is a better
solution than svnserve + SSH for authenticated access - although it
seems much more involved at first sight.
Another reason was that I'd rather not give shell access to all
Subversion users. With Perforce, I was able to create accounts with
/bin/false as the shell, because SSH was only used for tunnelling a
connection to the Perforce daemon already running on server. Then users
would connect using:
ssh -N
where -N stands for:
Do not execute a remote command. This is useful for just
forwarding ports (protocol version 2 only).
Since in the Subversion case SSH has to spawn its own svnserve instance,
is there any other way to constrain Subversion users to run svnserve and
nothing else? I guess one should use a constrained shell, but I have no
experience with that. Does anyone have some recipe/shell/script to share?
--
Dimitri
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svnserve -r not working?
Posted by John Peacock <jp...@rowman.com>.
Wade Williams wrote:
> [dreamline:~] wade% svn co svn+ssh://10.11.11.20/trdev
> svn: No repository found in 'svn+ssh://10.11.11.20/trdev'
svn+ssh:// spawns a custom svnserve instance for each connection; it is much
more closely related to using file:// from a local account. It doesn't attach
to the svnserve instance you started above. See this for more details:
http://svnbook.red-bean.com/svnbook/ch06s03.html#svn-ch-6-sect-3.3
especially the second paragraph after the example code.
HTH
John
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5748
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org