[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: block the file:/// access in AFS

From: Riccardo-Maria Bianchi <riccardomaria.bianchi_at_physik.uni-freiburg.de>
Date: 2007-01-09 16:16:56 CET

Thanks for your answer!

I explain better:

We have our repository on AFS; but I want users access to it only by
svnserve tunneled via SSH. That because I set up a group with certain
permissions with svnserve.conf and authz files, and I don't want every
AFS users can access to the repository.

Moreover I want that users access to the repo only via a certain
machine, which is allowed to send e-mail (I use the post-commit hook).

Is it possible to switch off the file:/// access? Or is there any way to
prevent users access in this way?

Thanks a lot again,

    Riccardo.

Ulrich Eckhardt wrote:
> On Tuesday 09 January 2007 11:27, Riccardo-Maria Bianchi wrote:
>> I have this problem. I set up a SVN server and I want users access to it
>> only via SVN+SSH protocol.
>
> Okay.
>
>> The problem is that the repository directory is on our AFS (it must be
>> there) and AFS users can access to the repository via file:/// without
>> restriction.
>
> Well, that's how it work: SVN+SSH just tunnels (file-)access over SSH. If they
> can login to the machine and use file:/// it is mostly the same.
>
>> Can I block the file:/// access protocol, in order to use only the
>> svnserve?
>
> Wait, now you are using svnserve? I'm slightly puzzled, as I'm not really sure
> what you want...
>
> I would propose this:
> - Add a dedicated user 'svn' or 'svnserve'.
> - Using e.g. inetd, you start an svnserve process that serves the repositor(y|
> ies).
> - Normal users do not have read or write access to the files that make up the
> repository, all files are owned by the user of the svnserve process
> exclusively. Maybe a backup service does get access and administrative
> personal.
>
> Now, if you need SSH for security reasons, you can easily use it to create a
> tunnel from your host to the server, see the SSH manpage how to do that. In
> that case, the server otherwise only allows connections from trusted hosts.
> In the most extreme case that would only be localhost/127.0.0.1, i.e. users
> must always create a tunnel first or work directly on that machine. FYI,
> restricting this would be an inetd configuration, not svnserve.
>
> Uli
>
> **************************************************************************************
> Visit our website at <http://www.satorlaser.de/>
> **************************************************************************************
> Diese E-Mail einschließlich sämtlicher Anhänge ist nur für den Adressaten bestimmt und kann vertrauliche Informationen enthalten. Bitte benachrichtigen Sie den Absender umgehend, falls Sie nicht der beabsichtigte Empfänger sein sollten. Die E-Mail ist in diesem Fall zu löschen und darf weder gelesen, weitergeleitet, veröffentlicht oder anderweitig benutzt werden.
> E-Mails können durch Dritte gelesen werden und Viren sowie nichtautorisierte Änderungen enthalten. Sator Laser GmbH ist für diese Folgen nicht verantwortlich.
>
> **************************************************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>

-- 
---------------------------------------------------------------------
-                                                                   -
-       Riccardo Maria BIANCHI                                      -
-                                                                   -
-       Physikalisches Institut, University of Freiburg             -
-                                                                   -
-       Office:  Room 02 022 (2nd floor)                            -
-                Hermann-Herder Str. 3                              -
-                D-79104 Freiburg  (Germany)                        -
-       Email:   riccardomaria.bianchi@physik.uni-freiburg.de       -
-       Tel.:    +49 761 203 5879                                   -
-                                                                   -
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 9 16:17:13 2007

This is an archived mail posted to the Subversion Users mailing list.