[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Limits on use of the file scheme

From: Ryan Schmidt <subversion-2005_at_ryandesign.com>
Date: 2005-08-04 17:40:49 CEST

On 04.08.2005, at 16:00, Simon Timms wrote:

>> If your admins are happy with serving files they should be happy
>> with serving 'web pages' to the same set of clients.
>
> They aren't. It thier minds they have accepted the security risk that
> is running file shares but they have not accepted the risk that is
> running apache or svnserve.
>
> [snip]
>
> I know right now they are
> very worried about who can administer the repository via svnadmin. Is
> there any way to limit who can use the svnadmin command?

Making the repository available via Apache or svnserve does not give
away additional access via svnadmin. svnadmin, it so happens,
requires that the repository be specified using a local filesystem
path; it does not accept URLs of any kind as a means to identify a
repository. So in order to use svnadmin, you must have a shell
account on the Subversion server.

If you currently offer file:/// access to the repository, that means
you're granting any and all access via svnadmin too. By installing
apache or svnserve and turning off the file:/// access, you would
limit svnadmin access to only those people who have shell accounts
and write permission to the repository files. So I think using
svnserve or apache would be an increase in security for you, not a
decrease as your admins seem to believe.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 4 17:42:40 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.