On 8/30/06, Jim Weir <javawaba@hotmail.com> wrote:
> >From: "Tuncer Ayaz" <tuncer.ayaz@gmail.com>
> >To: "Anthony Muller" <Anthony.Mueller@hyperoffice.fr>
> >CC: users@subversion.tigris.org
> >Subject: Re: [LINUX] How to launch svnserve process with another user than
> >'root' ?
> >Date: Wed, 30 Aug 2006 20:30:47 +0200
> >
> >On 8/30/06, Anthony Muller <Anthony.Mueller@hyperoffice.fr> wrote:
> >>
> >> > I don't know anything about Linux ... But I need to launch svnserve
> >> > process (using xinetd deamon) with another user than 'root'.
> >> >
> >> > What must I change to do that?
> >>
> >>
> >> > sample config which runs svnserve as user 'svn'
> >>
> >> > /etc/xinet.d/svn
> >> > service svn
> >> > {
> >> > socket_type = stream
> >> > protocol = tcp
> >> > user = svn
> >> > wait = no
> >> > disable = no
> >> > server = /usr/bin/svnserve
> >> > server_args = -i -r /srv/svn
> >> > port = 3690
> >> > }
> >>
> >>Must I change anything on subversion's repositories files ?
> >
> >You have to change ownership of the repository (files, directories)
> >to the user svn.
> >To do this for this exact sample config (assuming svn belongs to his
> >own group called svn as is the case on Debian GNU/Linux):
> >$ chown -r svn:svn /srv/svn
> >
> >Just in cause you are really new to Linux and Unix in general I
> >suggest you learn the basics first before doing something wrong
> >as understanding the whole picture is (always) important.
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> >For additional commands, e-mail: users-help@subversion.tigris.org
> >
>
>
> I was just looking at my cvs file and it's using 'root', it was installed
> from an rpm but i'm not using cvs.
>
> Is running svn as 'root' a security risk?
As svnserve's port is well above 1024 there is no need to run it as root, not
even SUID. You should only run the bare minimum of services as root
but running as non-root does not protect you from privilege escalation.
SELinux and similar access control mechanisms limit those holes to
some extent.
Running a service which does not need root privileges as root is an
unnecessary risk.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Aug 30 22:29:31 2006