[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: repository permissions - some general security questions

From: Scott Lamb <slamb_at_slamb.org>
Date: 2002-07-24 17:23:49 CEST

On Wed, Jul 24, 2002 at 04:53:59PM +0200, Timothee Besset wrote:
> Well that's my problem. Default httpd config:
> User nobody
> Group #-1
> I'm not sure what this means really .. but it looks to me like way too
> many things could be reading and writing in the repository. I know I can
> configure apache to run as a specific user/group, but that doesn't really
> solve the problem... I'm not sure I want to have my repository at the same
> access level as all the other stuff in my web pages.
> Then again .. I don't know what the implications are, but wouldn't things
> be better if a specific user/group could be defined for the svn repository
> area?

Here's how my Apache setup is done:

Main Apache server:
- uses my machine's first IP
- runs as user/group apache/apache
- CGIs run using suexec as their owner.
  (Well, I don't have any CGIs for performance reasons. But that's how
  they are set up to run.)
- mod_dav_svn is loaded

Second Apache server:
- uses my machine's second IP
- runs as user/group apachevh/apachevh
- mod_php. safe_mode is turned on and open_basedir is set on each
  virtual host. So a bit more can happen as this user, though I'm still
  paranoid. (requires <http://www.slamb.org/php-apache2-safemode.patch>)

So user "apache" is pretty restrictive. No non-Apache code can execute
as that user. So I think it's pretty safe. The second server is probably
reasonably safe, too, I just don't trust mod_php's restrictions.

The other alternative - eventually - is to run Apache2 with the perchild
MPM. It dispatches requests to Apache processes that have been forked
off and setuid()ed to different users, based on the virtual host. But
last time I tried it, it didn't work. It's experimental, and for a

Scott Lamb
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jul 24 17:24:03 2002

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.