[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Evaluating Subversion - some questions

From: Chris Jensen <cjensen_at_edex.com.au>
Date: 2004-09-17 01:54:46 CEST

> I gather that this means that means that one always has to
> place the Berkly DB on the same machine as the "svnserve -d" process (daemaon/service) runs?

That's right.

> 2) How does all of this work when one wants to expose a repository to
> outside user who will access it thought he public internet? The server
> has to sit in the DMZ and the data along with it? - Doesn't seem good to have the data in the DMZ.
I'm familiar with the use of DMZ's, but not entirley clear on all the
reasonings for decisions when designing it. But, if your subversion
server was allowed to reach into your secured internal network file
server to access it's repository, wouldn't this be a less secure
situation than housing the repository in the DMZ?
In both cases, if your subversion server gets compromised, then there's
potential for the attacker to hose your repository. But if the
repository is in the DMZ, the damage stops there. If your svn server has
permission to reach into the internal network, then so too does the
attacker now, giving them the oportunity to get inside and cause more
problems.
Like I said, I don't know what the "official" recommended topology is,
that's just my analysis of the situation.

> 3) Is there anyway to tie existing security infrastructure (LDAP,
> networking OS, etc.) authentication mechanisms into svnserve or does one
> pretty much have to maintain separate id/passwords?
If you use svnserve + ssh (which would be recommended if users are
coming from the internet) you can use what ever authentication
mechanisms are avaiable for SSH. So via PAM you could use LDAP,
Kerberos, Samba Winbind, NIS, unix, etc.
You're probably aware that the repository can also be served by Apache,
which also has all of these authentication mechanisms available and more.

-- 
---------------------------------------------------------------------
Chris Jensen cjensen@edex.com.au
Educational Experience (Australia)
Postal Address: PO Box 860, Newcastle NSW 2300
Freecall:       1-800-025 270      International: +61-2-4923 8222
Fax:            (02) 4942 1991     International: +61-2-4942 1991
Visit our online Toy store! http://www.toysandmore.com.au/
---------------------------------------------------------------------

Received on Fri Sep 17 01:54:37 2004

This is an archived mail posted to the Subversion Users mailing list.