[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: apache user invoking svn

From: Toby Johnson <toby_at_etjohnson.us>
Date: 2006-07-27 18:13:02 CEST

Bradley Wagner wrote:
>> svnserve.conf has no affect on Apache, are you running svnserve as
>> well? If your goal is to ensure all access is via http only, all you
>> need to do is make the repo directory owned by the Apache user, with
>> +rwX permissions, and no permissions for group or others.
> yes, that is exactly my goal. I was wondering if there was any more
> elegant way in svn to disable access via svn+ssh:// other than
> changing the directory ownership to be only the user running apache. I
> think managing a separate authz_db file for svnserve.conf that just
> disables all access would probably be easiest. Though, will that
> affect apache's ability to invoke svn? I guess I'm a little unclear
> about the different mechanisms for invoking SVN.
> Bradley
How is setting filesystem permissions inelegant? That's exactly what
filesystem permissions are for. The problem is that the svn repo is just
a bunch of files. If someone has access to those files, they could
either access them directly using file://, or they could set up their
own svnserve process or their own Apache process or whatever they want
to to bypass whatever you might set in some configuration file.

So the answer is no, there is no way to prevent svn+ssh access through a
config file, because there is no way to force clients to even use your
config file. If you want to prevent all access except via Apache, then
using filesystem permissions is the only way to accomplish that.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jul 27 18:13:34 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.