Thanks for your answer!
I explain better:
We have our repository on AFS; but I want users access to it only by
svnserve tunneled via SSH. That because I set up a group with certain
permissions with svnserve.conf and authz files, and I don't want every
AFS users can access to the repository.
Moreover I want that users access to the repo only via a certain
machine, which is allowed to send e-mail (I use the post-commit hook).
Is it possible to switch off the file:/// access? Or is there any way to
prevent users access in this way?
Thanks a lot again,
Riccardo.
Ulrich Eckhardt wrote:
> On Tuesday 09 January 2007 11:27, Riccardo-Maria Bianchi wrote:
>> I have this problem. I set up a SVN server and I want users access to it
>> only via SVN+SSH protocol.
>
> Okay.
>
>> The problem is that the repository directory is on our AFS (it must be
>> there) and AFS users can access to the repository via file:/// without
>> restriction.
>
> Well, that's how it work: SVN+SSH just tunnels (file-)access over SSH. If they
> can login to the machine and use file:/// it is mostly the same.
>
>> Can I block the file:/// access protocol, in order to use only the
>> svnserve?
>
> Wait, now you are using svnserve? I'm slightly puzzled, as I'm not really sure
> what you want...
>
> I would propose this:
> - Add a dedicated user 'svn' or 'svnserve'.
> - Using e.g. inetd, you start an svnserve process that serves the repositor(y|
> ies).
> - Normal users do not have read or write access to the files that make up the
> repository, all files are owned by the user of the svnserve process
> exclusively. Maybe a backup service does get access and administrative
> personal.
>
> Now, if you need SSH for security reasons, you can easily use it to create a
> tunnel from your host to the server, see the SSH manpage how to do that. In
> that case, the server otherwise only allows connections from trusted hosts.
> In the most extreme case that would only be localhost/127.0.0.1, i.e. users
> must always create a tunnel first or work directly on that machine. FYI,
> restricting this would be an inetd configuration, not svnserve.
>
> Uli
>
> **************************************************************************************
> Visit our website at <http://www.satorlaser.de/>
> **************************************************************************************
> Diese E-Mail einschließlich sämtlicher Anhänge ist nur für den Adressaten bestimmt und kann vertrauliche Informationen enthalten. Bitte benachrichtigen Sie den Absender umgehend, falls Sie nicht der beabsichtigte Empfänger sein sollten. Die E-Mail ist in diesem Fall zu löschen und darf weder gelesen, weitergeleitet, veröffentlicht oder anderweitig benutzt werden.
> E-Mails können durch Dritte gelesen werden und Viren sowie nichtautorisierte Änderungen enthalten. Sator Laser GmbH ist für diese Folgen nicht verantwortlich.
>
> **************************************************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
--
---------------------------------------------------------------------
- -
- Riccardo Maria BIANCHI -
- -
- Physikalisches Institut, University of Freiburg -
- -
- Office: Room 02 022 (2nd floor) -
- Hermann-Herder Str. 3 -
- D-79104 Freiburg (Germany) -
- Email: riccardomaria.bianchi@physik.uni-freiburg.de -
- Tel.: +49 761 203 5879 -
- -
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 9 16:17:13 2007