[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: umask problem with apache2 and mod_dav_svn

From: Dominic Anello <danello_at_danky.com>
Date: 2006-04-29 22:27:24 CEST

On 2006-04-26 16:03:09 +0300, kulve wrote:
> Hi
>
> I have set up a development environment based on trac and svn. svn is
> used using http protocol with svn command line tool and optionally
> browsed through trac.
>
> My apache2 uses suexec to exec cgi with my own account that should have
> read/write group access to svn files. Using svn from command line the
> dav module is used and afaik it is run as www-data user by default
> (suexec has no effect there). www-data should be the owner of the files
> in my setup.
>
> The problem is that group loses sometimes the write access (because of
> bad umask?). I have added "chmod g+w" hack to post-commit.sh which might
> fix some issues. But it seems that always when a new logfile (e.g.
> db/log.0000000004) is created it's missing the group write access and I
> need to recover the database and set owner and access modes.
>
> So, is there a way to
> a) choose what user is used when accessing svn files through dav svn?

When accessing the repos via DAV, the group of the process used to
access the repos is whatever apache is running as. You can use the
apache Group directive to set the Group that apache runs to whatever
group owns your repos/db directory. This directive is global, not
setable per directory or anything like that. It usually goes at the top
of your httpd.conf file. I'm guessing you have something like:
Group: www-data
in there already.

Alternatively, you can chgrp the repos/db directory to whatever group
apache is already running as.

> b) use some post hook to give that new logfile group write access?

There should be no need to do this.

> c) set umask so, that new files in my svn will have group write access?

The umask is part of it, the other half is setting SID on the repos
directory so new files get created with the appropriate permissions.
You have to:
  1. Set the SGID flag on the db directory and make sure it is writeable
     by the group from (a). E.x.:
     chgrp -R www-data /usr/local/svn/respos/db
     chmod g+srwx /usr/local/svn/repos/db
     chmod -R g+rw /usr/local/svn/repos/db
  2. Make sure every process that access the repos, even for a read
     operation, has the appropriate umask. I use umask 0002
     Put the umask directive at the top of the apachectl script, or
     whatever script you use to start apache. Also put it at the top of
     all your hook scripts and in your case, in your CGI script.
  3. Any user that needs to access the repos needs to be made a member
     of the group that owns the reos/db directory.
  
Now all log files that get created will have the appropriate group owner
and write permissions.

This is the configuration I use (I am also running trac), and I have
never had a permissions problem.

Good lock!

-Dominic

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Apr 29 22:28:35 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.