[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: apache user invoking svn

From: Nico Kadel-Garcia <nkadel_at_comcast.net>
Date: 2006-07-27 19:27:58 CEST

Toby Johnson wrote:
> Bradley Wagner wrote:
>>
>>> svnserve.conf has no affect on Apache, are you running svnserve as
>>> well? If your goal is to ensure all access is via http only, all you
>>> need to do is make the repo directory owned by the Apache user, with
>>> +rwX permissions, and no permissions for group or others.
>>
>> yes, that is exactly my goal. I was wondering if there was any more
>> elegant way in svn to disable access via svn+ssh:// other than
>> changing the directory ownership to be only the user running apache.
>> I think managing a separate authz_db file for svnserve.conf that just
>> disables all access would probably be easiest. Though, will that
>> affect apache's ability to invoke svn? I guess I'm a little unclear
>> about the different mechanisms for invoking SVN.
>>
>> Bradley
> How is setting filesystem permissions inelegant? That's exactly what
> filesystem permissions are for. The problem is that the svn repo is
> just a bunch of files. If someone has access to those files, they
> could either access them directly using file://, or they could set up
> their own svnserve process or their own Apache process or whatever
> they want to to bypass whatever you might set in some configuration
> file.
> So the answer is no, there is no way to prevent svn+ssh access
> through a config file, because there is no way to force clients to
> even use your config file. If you want to prevent all access except
> via Apache, then using filesystem permissions is the only way to
> accomplish that.

There's the pre-commit script and svnperms.conf and svnperms.py, which works
just fine.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jul 27 19:30:44 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.