Martin Probst wrote:
> Hi,
>
>
>>>>The repository is accessed via Apache2, which is run under the nobody
>>>>disabled account. Hence, the repository is owned by nobody since it
>>>>doesn't work otherwise.
>
>
> I think the common way of doing that would be to have the BDB files
> owned by the Apache user but being in a special svn administration
> group, e.g.
>
>>drwxrwxr-x 7 apache svnadm 224 1. Jun 16:27 /var/svn/repos/
>
> Now the user administrating the svn repository has to be a member of
> that svnadm group. That way this user has write access to the subversion
> repository but not to the Apache configuration etc.
> You can of course fine tune this further by having own groups for every
> repository. And don't change subversions config files to this group,
> keep it for repository administration only.
Sounds good, I'm going to try something along this line.
>>Interesting enough, there is an 'apache' account in my system... it has
>>!! in the /etc/shadow password field, whatever that means...
>
>
> That is the common way of "disabling" a user account. Set its encrypted
> password to something which can't be generated by crypt. So the apache
> account is disabled but that is a good thing. It basically means that
> only root can use that account by "su"ing into it and running apache.
> This makes it impossible for evil users to gain access via that account.
Ok, I was being confused because some accounts have a '*' while others
have '!!'. I had supposed it could mean something different from a
normal disabled account.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 21 12:42:50 2004