I tried it out with sudo now and it works like a charme. All I had to
do was write a little wrapper-script with the following content:
sudo -u user /usr/local/bin/svnserve -t
This works great, but there is still one problem. I have to place the
user of the repositiry in the wrapper-script. Therefore it wouldn't
be possible to have different users own different repositories, but
this doesn't cause problems for me. If I would be using Apache, then
apache would also own all the repositories as well.
Of course I had to setup the users being able to run that command in
the sudoers. Here I also have the possibility to use system groups.
This way the users cannot use the repository using file:/// anymore
since they don't own the files in the repository. So they always have
to use svn+ssh://. Password caching is also not possible anymore
since it uses ssh.
The only thing I would love to see, would be able to configure the
command being run on the server side (svnserve -t) to able to
configure in the runtime configuration just like the tunnel itself.
Best would even be if it could be configured per schema.
Timo
Am 15.04.2006 um 01:10 schrieb Timo Wendt:
> I finally checked the source code. It seems to be coded in fix that
> it calls svnserve t on the server side. Actually without a absolute
> path so svnserve has to be in the path.
> Therefore the only way of doing this is to use a wrapper script for
> svnserve on the server.
>
> May this would be something for a future release, that the command
> can be configured in the runtime config as well? The user has
> access to the machine anyway, therefore it wouldn't be a security
> issue, I guess. this would make it possible to use either userv or
> also sudo to call svnserve. By that svnserve could always run as a
> the same user. Or are there other problems with this?
>
> Am 14.04.2006 um 16:44 schrieb Timo Wendt:
>
>> Hi,
>>
>> I got the great hint of using a tool called userv together with
>> subversion. This sounds really good to me. userv is a tool that
>> gives the opportunity of running a program as another user. To be
>> honest this sounds like sudo, but userv is supposed to be more
>> secure since it is running as a daemon. But in fact the solution
>> would probably even work with sudo as well.
>>
>> Noew the guy explains how he did get it to run on the following link:
>>
>> http://www.chiark.greenend.org.uk/~sgtatham/svn.html#S2
>>
>> I did actuallay get userv to run. Now there is stated the
>> following on that link:
>>
>> <Remote access, of course, is still via ssh, only instead of
>> running ‘ssh remote-host svnserve’, you now have to run ‘ssh
>> remote-host userv simon-svn svnserve’. But Subversion makes it
>> easy to configure strange remote access methods (by adding entries
>> in the [tunnels] section in the .subversion/config file), so that
>> wasn't a problem.>
>>
>> How is this supposed to work? Reading about tunnels in the
>> subversion book and also the explanation withing the config file
>> tells me that if I create a new schema, lets call it userv, an
>> dtell ist to execute "userv user svnserve" then svn will call the
>> following:
>>
>> userv user svnserve hostname svnserve -t
>>
>> Well this is not what I want. It is supposed to run a different
>> command on the server side, but this doesn't seem to be
>> configurable, is it? How did he get this managed?
>>
>> Any ideas?
>>
>> Timo
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Apr 15 11:14:21 2006