[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [security question] commit-email.pl completely ignores access rules

From: Kevin Williams <kevin_at_bantamtech.com>
Date: 2005-05-01 16:16:35 CEST

How is your hooks/post-commit file configured? I believe that's where
you specify where commit-email.pl should send message to.

I use mailing lists to associate users who should be notified of commits
to a certain repository. You could have the /src/harry/hooks/post-commit
send to harry-commits@your.domain and /src/sally/hooks/post-commit send
to sally-commits@your.domain. The hook for the shared repository could
send to both lists, for example.

Stan Devyatovsky wrote:
> Hello,
>
> I am interested in best security practices with Subversion. I've been
> very happy to setup Apache2+mod_dav_svn instead of standalone
> svnserve, because it allows for much better access control.
>
> Being able to restrict users from accessing each particular file or
> folder is just great!
>
> However, we also use a Post Commit hook script - commit-email.pl, and
> it completely disregards the security rules we've setup.
>
> Example security rules:
> [project:/src/harry]
> *=
> harry=rw
> [project:/src/sally]
> *=
> sally=rw
> [project:/src/shared]
> *=rw
> I don't want Harry to see Sally's source dir, and I don't want Sally
> to see Harry's source dir either. However they have a shared source
> folder, and they can both access it.
> Now, since we have a post commit hook (commit-email.pl), upon each
> commit both Harry and Sally will receive email notification with all
> changes in there. Sally will actually receive all Harry's changes via
> email, even those which he did in his private folder: /src/harry - and
> Sally is not supposed to ever see it!
>
> Is there any way to limit email notification, so that Sally sees only
> what she is supposed to see (changes in /src/sally and /src/shared,
> but not in /src/harry) ?
> Any ideas are welcome and greatly appreciated.
>

----------
Scanned for viruses by ClamAV

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sun May 1 16:20:28 2005

This is an archived mail posted to the Subversion Users mailing list.