[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: user management with no root access

From: Nico Kadel-Garcia <nkadel_at_comcast.net>
Date: 2006-05-03 18:58:48 CEST

Rainer Sokoll wrote:
> On Wed, May 03, 2006 at 03:17:31PM +0200, John Biddiscombe wrote:
>
>> Is there some way that the admins can allow me to create
>> projects/repositories/users and change access rights etc without me
>> being a root user and without allowing me to break the entire system
>
> First of all: Apache should /never/ run as root, so for configuring
> apache there are no root privileges needed.
> For the user management I use this (short to give you just an idea):

Please rethink this. For a number of obvious security reasons, Apache
configurations files are normally used, and because Apache normally runs on
the privileged ports 80 and 443, it needs to be *STARTED* by root. Once the
ports are opened up, then the daemons are forked off and they are owned by
"apache" or "www" or some similar account.

> in httpd.conf:
> <Location /it/>
> Include conf/subversion.conf
> SVNParentPath /svn/svn/it
> AuthzSVNAccessFile conf/svnaccess/svnaccess.it
> AuthName "Access to IT area"
> </Location>
>
> In svnaccess.it, I have (among other things):
> [jsubversion01:/]
> @it = rw
> [jsubversion01:/svnaccess.ics]
> tsenger = rw
>
> In the it repository, I have a post-commit hook:
> cd /usr/local/httpd-ssl-2.0.58/conf/svnaccess && \
> /usr/local/subversion-with-ssl-1.3.1/bin/svn up
> file:///svn/svn/it/jsubversion01/ .
>
> So, /usr/local/httpd-ssl-2.0.58/conf/svnaccess is a wc for the
> repository [jsubversion01:/].
> Every member of the group it has been granted full access to
> /usr/local/httpd-ssl-2.0.58/conf/svnaccess, and the user tsenger has
> only access to
> /usr/local/httpd-ssl-2.0.58/conf/svnaccess/svnaccess.ics.
> Since changes on these files take effect without restarting apache, I
> can control acces to svn by using svn itself :-)
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed May 3 19:07:21 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.