On Fri, 2004-10-08 at 05:42, Kevin Jones wrote:
> Some background.
>
> I'm mainly a Windows developer/user with some Linux knowledge/experience,
> but not too much Linux admin experience.
>
> I have a Linux box set next to me and I've installed Subversion on it. I
> currently have it set up using WebDAV under Apache and after a little head
> scratching it works. The way it is setup is to have SVNParentPath set to
> point at a directory and to have multiple repositories under that directory.
> I have a couple of questions (oh, and I have read the book :) )
>
> i) I've set the owner/group of the repositories to 'apache'. Is this a good
> way to do things or should I create a 'subversion' user and add that user to
> the 'apache' group, or should I do something else completely (I know there
> is no 'one true way' I just want to make sure I don't screw myself
> completely in the future if/when I decide to change things)
I see no reason using apache as the user would cause any problems. For
our setup, I have created a user called 'buildmaster' who is under the
'build' group and Apache runs as this user. The buildmaster user has a
shell account to which we can run the automated build (CruiseControl)
under, and is the user that we log in as for all repository maintenance
functions (dumps, password/user additions, authorization changes etc).
All build related emails come from this user as well. This isn't
necessarily the right way to do it (I don't think there is one) but it
gives the administrators an idea of what they should be doing when
they're logged in, and gives the developers an idea of where all these
commit emails and build emails are coming from. It also allows us to
filter build related emails off to a subfolder in our mail system.
>
> ii) What are the implications of sticking with 'apache' as owner/group
None that I know of, except that I believe the apache user is normally
set up with a non-shell account.
>
> iii) What are the implications of using a different user/group
See answer to i above.
>
> iv) My real question. I have multiple repositories under SVNParentPath, can
> I specify different subversion access permissions for those repositories or
> should I go back to httpd.conf and add multiple <Location ...> entries with
> different access permissions for each repo.
I tend to use separate <Location> directives to do this, but that is
just a quirk I have about being very specific. I do not believe though
that you can have multiple svn_authz configuration files using
SVNParentPath, so if you want to give different users access to
different repositories, you will need to use separate location blocks.
All of my developers have access to all repositories, so again, I just
use separate location directives so that everything is laid out
specifically.
>
>
> BTW. I have Googled around for answers to these questions but found nothing
> definitive. In some cases I see advice to wrap Apache in a script and do a
> umask 002 before executing it, in others (actually here on the list) I've
> seen answers saying - 'if you use Apache and it's default user you'll be
> fine' So I'm confused :)
As I said earlier, our buildmaster user is the user Apache runs as, and
also the owner of the partition under which the repositories are
stored. All repositories are created by this user, so he owns them by
default. The limited few who are able to log into this box have sudo
access to su to this user to do any maintenance that needs to occur (new
passwords, new authorization rights, etc) It's worked flawlessly for
us and has really cut down on the confusion. We've used this user
even back in the CVS days, so when we cut over to Subversion nothing
really changed. This is one of the reasons that I had decided way
back not to have application specific user names.
I hope this helps.
-- Ron
>
> Thanks,
>
> Kevin Jones
> http://kevinj.develop.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
Received on Fri Oct 8 13:21:45 2004