Re: Could svn check permissions?

Greg Hudson wrote:

> On Fri, 2003-09-05 at 13:32, John Peacock wrote:
>
>>Isn't it possible to use setgid() to change the group ID of the current process
>>only (in this case the svnadmin)?
>
> I guess that might work. (For Unix only, of course, and probably only
> for repositories created by root.) I'm not sure whether it's worth
> adding a flag; anyone who knows to use the flag is probably just as
> capable of running chgrp -R after running svnadmin create.

My point is that it is better to set up the repository right when created,
rather than requiring anyone to run any other programs after creation do fix it
up for a given purpose. I'm all in favor of subversion failing gracefully if
something goes wrong; I'm just saying it's /better/ to reduce the possibility of
failure in the first place.

Here's my expanded proposal:

1) If you want to configure the repository to be accessible by the current user,
do nothing except the normal:

        svnadmin create /path/to/repos

The files are created owned by the logged in user, with the logged in user's
umask in effect. The logged in user requires enough rights to create the
repository directory itself.

2) If you want to configure the repository to run as a specific non-priveledged
user (e.g. using the Apache user), use a new option:

        svnadmin create --user=nobody /path/to/repos

This requires root access (which is appropriate), and uses setuid() to that user
prior to calling the BDB library. The non-priv user does not need sufficient
rights to create the top level directory, since root can do that before
setuid()'ing. The umask() will also be changed to be appropriately restrictive
before creation.

3) If you want to configure the repository to be accessible in file:// mode by
multiple users, do this:

        svnadmin create --user=owner --group=groupname /path/to/repos

This also requires root access and uses setuid/setgid prior to calling BDB. The
root user will also be able to set the directory rights sticky (for those
platforms which require it). The files should not be owned by root, so some
user has to be the titular owner of the files (usually the poor sod who has to
run 'recover' when needed ;~).

Yes (I can hear you) a competent admin can do all of this themselves. Yes,
anyone with su can switch to another user before creating the repository in
order to get the right ownership.

But, this makes it possible for someone who is not a competent admin, yet has
root access, to _do it right the first time_. There are way too many people out
there loading Linux for the first time and without the knowledge of how an O/S
with real security operates. This gives them a very simple recipe for how to
set up the repository in the most appropriate fashion for their environment.

John

p.s. it goes without saying that this code all becomes no-ops on insecure O/S's,
like Windows...

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD  20706
301-459-3366 x.5010
fax 301-429-5748
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org