[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Group Based Access !!

From: John Szakmeister <john_at_szakmeister.net>
Date: 2007-01-08 10:40:57 CET

----- Himanshu Raina <raina_himanshu@yahoo.com> wrote:
> HI,
>
> I am accessing my repositories over the network using svn protocol.I
> have a repository under which i have lot of project directories.I want
> to limit the access to directories i.e i want to provide group
> specific access.
>
> Example:-
>
> I have a repository name scholars
> Under scholars i have different projects namely e
> ngineers,managers,programmers
> As of now i make use of passwd file which provides the access to
> complete repository.I want to create a group say "test_group" which
> will have say 5 users and all these users shuld be able to access only
> scholars/engineers same way another group which can access
> scholar/managers .....
>
> Could someone provide help on this.With http schema it can be done
> using svnaccessfile but how about cmdline access.

That's a good question... looking at the code I don't see that local access would do what you want, and that makes perfect sense. The problem with local access is that you need access to the database backend in order to commit. At that point, you can no longer restrict people. I mean, we could, but it doesn't stop anyone from compiling their own version and gaining access to the restricted area, since authorization is being done by the client. On top of that, you risk someone being able to upgrade the repository without your permission, and of course, there's the accidental 'rm -rf'.

I'd use svnserve to serve the repository, and I'd do it as it's own user. The repository should be only readable and writable by that user (otherwise, your engineers can use the file:// protocol to read the restricted area). Then you just use svn:// to access everything. This allows you to chose when you want to upgrade the repository, it keeps prying eyes from seeing unauthorized data/information, and svn:// access is fast.

Hope that helps!

-John

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Jan 8 10:41:16 2007

This is an archived mail posted to the Subversion Users mailing list.