[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: NIS and Group control

From: Duane Griffin <d.griffin_at_psenterprise.com>
Date: 2006-07-28 11:19:29 CEST

On Thu, 2006-07-27 at 16:17 -0400, Travis Love wrote:
> Once more, I promise. I've done everything, and it seems there are
> still some tweaks that need doing that haven't been documented, so
> once more. svnperms.conf is in /svn/repos/conf, svnperms.py and
> pre-commit are in /svn/repos/hooks. This is what they look like:
[snip]

The pre-commit hook won't help you prevent people from viewing the
repository. Nor will any other type of hook, I'm afraid. As far as I
know the best approach is to use the NIS for authentication and authz
for access control (and yes, this will involve a cron job). You've
already got apache configured to use NIS through PAM, so that part is
fine. Now you need to setup authz access control:

...
LoadModule authz_svn_module modules/mod_authz_svn.so
...
<Location /repo>
  ...
  AuthzSVNAccessFile /var/svn/repo/conf/passwd
  ...
</Location>

Create the access-control file from a cron job with something like this:

ypcat group | awk -F : 'BEGIN {print "[/]\n* =\n@reviewers = r\n@writers
= rw\n\n[groups]"} {print $1, "=", $4}' > /var/svn/repo/conf/passwd

(Note: eyeball tested only!)

If it is possible to configure apache to do the access-control based on
the user's group that would be preferable, but I can't help with that.
The setup I've described is similar to what we use here, so I know it
works in principle.

> That's everything I've modified. I can access the repository as
> either the group user or as a non-group user. Both users are
> authenticated through NIS, neither user is a member of a group
> "group1" in /etc/passwd, SVN server is running Fedora Core 5. I want
> to let the group user have all permissions and the non-group user be
> unable to see the code. Can I even do this with NIS authentication,
> or do I need to have a cron job dump the NIS table to a file for
> subversion to use over svnserve?
>
> Paranoia? No. I'm implementing this for a Comp. Sci professor, who
> is very concerned about code theft/plagiarism among his students.
>
> Thanks for any help you can give, I'm very stuck here.
> -Travis

Hope this helps!

Cheers,
Duane.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 28 11:20:46 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.