[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Could svn check permissions?

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: 2003-09-05 18:35:10 CEST

On Thu, 2003-09-04 at 16:07, John Peacock wrote:
> I still maintain that there is nothing wrong with BerkeleyDB.

It's a bad fit for us in this area, because we cannot ensure that its
requirements are met.

> As long as you set up the directory, groups, and file permissions
> correctly, it Just Works(tm).

Having "nothing wrong with you" is not just about working when the user
does everything correctly. It's also about being tolerant when the user
does not, and failing gracefully when you cannot be tolerant.

> 1) Add a new option to 'svnadmin create'
> --group=ARG : create repository as group ARG

We cannot set the group permissions of a BDB database without looking
under the covers.

> 2a) Alter svn to always set umask S_IRUSR, S_IWUSR, S_IRGRP, and S_IWGR prior to
> opening the database (will this work?);

libsvn_fs is a library. It cannot in good conscience modify global
process state. (We can't even get away with modifying it and setting it
back again when we're done, because of threads.)

> 2b) Include a svn wrapper which sets umask 002.

If I set my umask to 022, that means I want files I create to be
non-world-writable and non-group-writable except when there is a good
reason to behave otherwise. In particular, it suggests that if I create
a repository, I want it to be non-world-writable and
non-group-writable. Overriding that preference would be a security
hole. (CVS does actually bash the umask, and is insecure as a result.)

Now, if you modify a repository which you don't own, using your group
write permissions, then that's an excellent reason to override the umask
and set new logfiles to be group-writable. But we don't have any way to
do that, because Berkeley DB's environment support isn't flexible enough
to determine that aspect of how new logfiles are created.

We could provide a wrapper to be used optionally (somehow; the details
are hazy), but we still have to fail gracefully if users don't elect to
use that option when they should.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Fri Sep 5 18:36:05 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.