Hi,
> >>The repository is accessed via Apache2, which is run under the nobody
> >>disabled account. Hence, the repository is owned by nobody since it
> >>doesn't work otherwise.
I think the common way of doing that would be to have the BDB files
owned by the Apache user but being in a special svn administration
group, e.g.
> drwxrwxr-x 7 apache svnadm 224 1. Jun 16:27 /var/svn/repos/
Now the user administrating the svn repository has to be a member of
that svnadm group. That way this user has write access to the subversion
repository but not to the Apache configuration etc.
You can of course fine tune this further by having own groups for every
repository. And don't change subversions config files to this group,
keep it for repository administration only.
> Interesting enough, there is an 'apache' account in my system... it has
> !! in the /etc/shadow password field, whatever that means...
That is the common way of "disabling" a user account. Set its encrypted
password to something which can't be generated by crypt. So the apache
account is disabled but that is a good thing. It basically means that
only root can use that account by "su"ing into it and running apache.
This makes it impossible for evil users to gain access via that account.
Every accounted that is not used for real login sessions by users
(basically every accounted which is just used to run daemons under it)
should be locked this way.
mfg
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 21 12:26:06 2004