[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Permissions for repositories with Apache

From: Peter Burkholder <peterb_at_ucar.edu>
Date: 2003-04-26 16:41:09 CEST

My experience with Apache2 is fairly limited, but I understand that
a single apache with the perchild mpm can spawn virtual hosts
processes with different user id and group ids. e.g.

<VirtualHost>
        ServerName jane.example.com
        User jane
        Group devgroup
        ...
</VirtualHost>
<VirtualHost>
        ServerName paul.example.com
        User paul
        Group devgroup
        ...
</VirtualHost>
Each of these can have a DocumentRoot with the devlopers area.

see http://httpd.apache.org/docs-2.0/mod/perchild.html

P.

> Hello, I've been playing around with getting dav/dav_svn setup with Apache,
> but I can't figure out a good way to secure the thing so I was hoping to get
> a few pointers. It seems like, due to unbelievably bad support in Apache
> for UNIX users/permissions, I've got these options (this is a multiuser
> system with shell access):
>
> - Have each user run a separate Apache on a different port with their own
> User/Group directive so they can serve and configure their own repositories.
>
> - Have a special subversion-user Apache running on a different port that
> only accesses subversion repositories owned by itself and require an admin
> to setup every repository for every user, and apply every configuration
> change they need.
>
> Neither of these solutions seem very good. I'm probably missing the right
> way, though, as I'm a bit new to securing Apache. Does anyone have some
> tips on how to set up permissions so that repositories are secure on
> multiuser systems, but don't require an admin to change configuration on
> behalf of the user (like changing what HTTP-auth users have write access,
> creating new repositories, etc.)?
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Apr 26 16:43:13 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.