[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: block the file:/// access in AFS

From: Ulrich Eckhardt <eckhardt_at_satorlaser.com>
Date: 2007-01-09 11:51:24 CET

On Tuesday 09 January 2007 11:27, Riccardo-Maria Bianchi wrote:
> I have this problem. I set up a SVN server and I want users access to it
> only via SVN+SSH protocol.

Okay.

> The problem is that the repository directory is on our AFS (it must be
> there) and AFS users can access to the repository via file:/// without
> restriction.

Well, that's how it work: SVN+SSH just tunnels (file-)access over SSH. If they
can login to the machine and use file:/// it is mostly the same.

> Can I block the file:/// access protocol, in order to use only the
> svnserve?

Wait, now you are using svnserve? I'm slightly puzzled, as I'm not really sure
what you want...

I would propose this:
- Add a dedicated user 'svn' or 'svnserve'.
- Using e.g. inetd, you start an svnserve process that serves the repositor(y|
ies).
- Normal users do not have read or write access to the files that make up the
repository, all files are owned by the user of the svnserve process
exclusively. Maybe a backup service does get access and administrative
personal.

Now, if you need SSH for security reasons, you can easily use it to create a
tunnel from your host to the server, see the SSH manpage how to do that. In
that case, the server otherwise only allows connections from trusted hosts.
In the most extreme case that would only be localhost/127.0.0.1, i.e. users
must always create a tunnel first or work directly on that machine. FYI,
restricting this would be an inetd configuration, not svnserve.

Uli

**************************************************************************************
           Visit our website at <http://www.satorlaser.de/>
**************************************************************************************
Diese E-Mail einschließlich sämtlicher Anhänge ist nur für den Adressaten bestimmt und kann vertrauliche Informationen enthalten. Bitte benachrichtigen Sie den Absender umgehend, falls Sie nicht der beabsichtigte Empfänger sein sollten. Die E-Mail ist in diesem Fall zu löschen und darf weder gelesen, weitergeleitet, veröffentlicht oder anderweitig benutzt werden.
E-Mails können durch Dritte gelesen werden und Viren sowie nichtautorisierte Änderungen enthalten. Sator Laser GmbH ist für diese Folgen nicht verantwortlich.

**************************************************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 9 11:51:43 2007

This is an archived mail posted to the Subversion Users mailing list.