[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Could svn check permissions?

From: John Peacock <jpeacock_at_rowman.com>
Date: 2003-09-07 13:10:00 CEST

John Peacock wrote:
> --user-id arg : create repository for exclusive access by
> user ARG
> --group-id arg : create repository for shared access by
> group ARG
>

Status update:

I have a proof of concept patch which appears to do what I suggested (under
Linux) at least as far as --user-id is concerned. I'm missing some subtlety
about how to use setgid() in combination with setuid(). I also need to test
this on Win32, since most of this security code has to magically vanish for
insecure O/S's; I'm going to take a look at how Apache does it.

Here's an example:

> # ./svnadmin create --user-id nobody /tmp/test2
>
> # ll /tmp/test2
> total 10
> drwx------ 2 nobody nogroup 1 Sep 7 07:00 dav/
> drwx------ 2 nobody nogroup 1 Sep 7 07:00 db/
> -rw------- 1 nobody nogroup 1 Sep 7 07:00 format
> drwx------ 2 nobody nogroup 1 Sep 7 07:00 hooks/
> drwx------ 2 nobody nogroup 1 Sep 7 07:00 locks/
> -rw------- 1 nobody nogroup 1 Sep 7 07:00 README.txt

I have some questions though:

1) If a repository is going to be set up for exclusive access by a single user,
what would be the most appropriate permissions to use on the repos files? The
book discussion umask(002) as sane for shared access, but it doesn't discuss
exclusive access. I was thinking it would be best if the repository files were
not even read-only to any other user (to prevent even the most well intentioned
attempts to access the repository). I chose umask(077) for exclusive mode (and
tested it). Too harsh?

2) I have noticed that svnadmin also creates the ~user/.subversion/* files when
creating a repository. Is this still appropriate for a user like nobody, which
does not (typically) have a homedir???

Thanks

John 

-- 
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Sep 7 13:59:16 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.