[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [gmane.comp.version-control.subversion.user] Running svnserve as suid svn

From: <kfogel_at_collab.net>
Date: 2005-11-15 16:36:54 CET

larsbj@gullik.net (Lars Gullik Bjønnes) writes:
> I did not get any answers on this one at the users lists, so I try my
> luck here as well.

Just because you did not get any answers on the users@ list does not
make your post appropriate for dev@subversion.tigris.org. The charter
of dev@ does not change when posts on users@ go unanswered :-).

I wish you luck with your svn+ssh:// question, but this list is about
the development of Subversion itself. A good way to tell when a
question is appropriate here is to ask yourself if the answer to the
question would help Subversion development more, or would help the
poster more. If the latter, the question probably doesn't belong on
this list. Please help us keep dev@ traffic down -- it's already busy
enough here.

Although I'm responding to your original post, I'm quoting Alan
Barrett's reply below, so that people on users@ (which I have CC'd)
can benefit from the answer.

Best,
-Karl

> From: Alan Barrett <apb@cequrux.com>
> Subject: Re: [gmane.comp.version-control.subversion.user] Running svnserve as suid svn
> To: dev@subversion.tigris.org
> Date: Tue, 15 Nov 2005 12:09:37 +0200
>
> On Tue, 15 Nov 2005, Lars Gullik Bjønnes wrote:
> > For several reasons we are required to use svn+ssh:// to access our
> > svn repo, at the same time we then dislike that we must have a common
> > group for all the svn users, and that the users then can muck around
> > in the repo itself and create (unintentinal) havoc.
>
> You don't need to put all the users in a group that can access the
> file system that contains the repository. Search for "It is also
> possible to have multiple users share a single account" in the red-bean
> book (http://svnbook.red-bean.com/). Then your users will access
> the repository via URLs like svn+ssh://subversion@hostname/reponame/
> (all users sharing the "subversion" account on the server side, but
> restricted by ssh configuration so that they can only run svnserve, they
> can't login directly as the "subversion" user).
>
> > It seems ut us that a (temporal, until svnserve support SASL/SSL)
> > solution might be to make the svnserve binary suid svn.
> > Is this something anyone has tried? Will it work as expected, or will
> > it burn down the house?
>
> Search the dev mailing list archives for patches from Perry Metzger to
> allow svnserve to run setuid or setgid (I forget what Perry implemented,
> and I don't use those patches).
>
> --apb (Alan Barrett)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Nov 15 17:59:36 2005

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.