Re: [SLUG] Question on ownerships and permissions of subversion respositories
On Sat, Apr 29, 2006 at 10:22:50PM +1000, Michael Lake wrote: I have a question on ownerships and permissions of subversion respositories. I'll be using svn+ssh. I have set up repos on an open/free OS for use with svn+ssh. svn+ssh means that repo access is protected by normal Unix user/group controls. Our users already have ssh access to the machine holding the repos, so no special ssh stuff is required - just their normal login keys. Each distinct work group has all members belonging to the same /etc/group, and I set the group of all repo files to match. This just means you need to put all workers for the same project into the same /etc/group - but they're probably already there. If the project needs different group membership, it needs a different group, and a different repo. My repos are all fsfs. I put wrappers around all svn binaries to set umask to 002, and do chown -R svn: chmod -R ug+rwX,o= Because I don't use web or other access to these repos, I don't really care whether the ownership is svn or something else, as all access to this stuff happens because of g+rw. If you do want public read access, you might change repo modes to ug+rwX,o+rX. A not so good alternative might be to chown it to the user they all get to read as (say something www-ish) - in which case you might want u+rX,u-w. (My repos are not public, so I haven't tried either of these out.) -- Christopher Vance -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Question on ownerships and permissions of subversion respositories
On Sat Apr 29, Michael Lake wrote: > Hi all > > I have a question on ownerships and permissions of subversion respositories. > /var/lib# chown -R root:src svnrepos/ Actually I'm also planning to have the repository browsable by Trac (an SCM system) so I'll probably need it also readable by www-data. What does one do there if one wants users to be able to have file:// access locally and apache to have read access? Mike -- Mike Lake Caver, Linux enthusiast and interested in anything technical. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Question on ownerships and permissions of subversion respositories
Hi all I have a question on ownerships and permissions of subversion respositories. I'm setting up a subversion repository to be used by a few users. I therefore didn't want to put the repository in some /home/somebody/ but into /var/lib/ i.e. next to where cvs respositories reside. This is a Debian system. This is what I have done so far: As root create the respository: # svnadmin create /var/lib/svnrepos The users are members of the src group so change the root:root ownership to root:src /var/lib# chown -R root:src svnrepos/ The project is in a TEMP directory so import it from there: TEMP$ svn import . file:///var/lib/svnrepos/project1 -m "initial import" svn: Unable to open an ra_local session to URL svn: Unable to open repository 'file:///var/lib/svnrepos/project1' svn: Berkeley DB error while opening environment for filesystem /var/lib/svnrepos/db: Permission denied Of course we have to change the permissions of /var/lib/svnrepos This is what they were originally: $ ls -l /var/lib/svnrepos/ -rw-r--r-- 1 root src 379 Apr 29 21:36 README.txt drwxr-xr-x 2 root src 4.0K Apr 29 21:36 conf drwxr-xr-x 2 root src 4.0K Apr 29 21:36 dav drwxr-sr-x 2 root src 4.0K Apr 29 22:05 db -r--r--r-- 1 root src2 Apr 29 21:36 format drwxr-xr-x 2 root src 4.0K Apr 29 21:36 hooks drwxr-xr-x 2 root src 4.0K Apr 29 21:36 locks Looking at the above I decided that as I'm not using webdav and format and hooks/ and conf are probably not modified by users that I don't need to change the ownerships of everything and that indeed might be bad security wise so I just changed db/ and locks/ so that the src group could create or change files in there: From within /var/lib/svnrepos/ # chmod -R g+w db/ # chmod -R g+w locks/ Now the import works fine: $ svn import . file:///var/lib/svnrepos/project1 -m "initial import" QUESTION 1. Is this the correct thing to do if one wants repositores in /var/lib? 2. Am I lowering security by the chowns and chmods? 3. What's general practice on where developers put their respositories in Debian systems? At present this is on my laptop but it will be done on an internet connected virtual server soon, I'm just documenting everything that I need to do to get it all working correctly and securely. I'll be using svn+ssh. Mike -- Mike Lake Caver, Linux enthusiast and interested in anything technical. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html