[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svnserve, users, and passwords

From: Nick Patavalis <npat_at_efault.net>
Date: 2004-08-01 22:36:35 CEST

I'm using subversion though svnserve. The subversion repository is on
a system where users do not have accounts. So all the repository files
are owned by the "svn" system user, and the "svnserve" daemon (running
as user "svn") performs user-authentication as usually.

The problem is that the svn protocol does not provide a way for the
users to set their passwords. So they have to tell me (the
administrator) their passwords, and I have to edit the respective
pain-text files. For several reasons I do not want to have users
telling me their passwords. One can think of several such reasons:
Users are trained not to reveal passwords, and you don't want to go
against that, a user might give you a sensitive password which you'd
rather not know, and so on.

Luckily since the svn client caches passwords it would not be very
inconvenient (for the users) to assign random passwords to them. So
here's a simple technique I've devised to do just that. It's not
rocket-science---just a couple of simple scripts---but they work for
me, and I thought they could work for others too:

Inside "$REPOS/conf" setup "svnserve.conf" to read user-passwords from
the file "$REPOS/conf/passwd". This file will be automatically
generated, so you don't have to edit it manually. Actually event if
passwd gets deleted it can be recrated from the information in the
master users' list. Inside "$REPOS/conf", create a file named "users"
which will be your master users' list mentioned above. Initially it
contains lines like this (which you entered manually, to corespond to
your valid users):

   npat npat@efault.net
   joe joe@somedomain.com
   foo bar@foobar.net

The first word is the user-name, then a space, and then a valid
email-address for the user. After you edit this file you run the
"users_update.sh" script, which is conviniently also located inside
"$REPS/conf". The users_update script does the following:

  - scans the users list.

  - if it sees that a line has two fields (as all the lines in the
    example above do) it generates a random password, and edits the
    line adding this random-password as a third field. It then sends
    an email to the user informing her of the new password (using a
    message template also stored in "$REPOS/conf", and called
    "users_email_msg.txt").

  - if instead it sees that a line has three fields, it does nothing

  - finaly it generares the "$REPOS/conf/passwd" file from the "users"
    list.

  - as a finishing touch, it makes sure than both the master users
    list, and the passwd files are readable only by the "svn" user

After running "update_users.sh", the edited users list would look like
this:

   npat npat@efault.net bc45ed12
   joe joe@somedomain.com aacc1234
   foo bar@foobar.net 1276fe27

and the generated passwd file:

   # *** DO NOT EDIT ***
   # Automatically generated.
   # Generated: Sun Aug 1 10:08:18 EEST 2004
   # Edit the "users" file instead,
   # and run "users_update.sh" to regenerate
   [users]
   npat = bc45ed12
   joe = aacc1234
   foo = 1276fe27

The "$REPOS/conf/" directory looks like this:

  passwd ; the auto-generated passwords file
  svnserve.conf ; server config file
  users ; master users list
  users_emain_msg.txt ; email template
  users_update.sh ; update script

The users have also received mail informing them of their passwords.

If you want to add new users, simply edit the "users" file (adding
more lines to it), and rerun "update_users.sh". If you want to change
the password of a user (for whatever reason), edit the "users" file,
removing the third field from the respective line, and rerun
"update_users.sh"

If you are interested you can find the respective files and scripts
at:

  http://npat.efault.net/hacks/svnserve-users

They 're not much, but they might come handy.

Regards
/npat

P.S. I have also written a simple post-commit script that uses the
     master users list (conf/users) as an address-book in order to
     adjust the "From:" headers when it sends commit-updates to
     watchers. If you are interest, drop me a line and I will clean-it
     up and put it online too.

-- 
He who joyfully marches to music in rank and file has already earned
my contempt.  He has been given a large brain by mistake, since for
him the spinal cord would fully suffice.
  -- Albert Einstein
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun Aug 1 22:36:58 2004

This is an archived mail posted to the Subversion Users mailing list.