[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: block the file:/// access in AFS

From: Miller, Eric <Eric.Miller_at_amd.com>
Date: 2007-01-09 16:20:23 CET

Riccardo-Maria Bianchi wrote:
> > Can I block the file:/// access protocol, in order to use only the
> > svnserve?

chmod the repository as write only by some user (say svnuser). Users will then access the repository like this:

svn+ssh://svnuser@host/path/to/repos

This will cause the svnserve process to be launched under svnusers pid thus allowing access to the repository. You then need to modify ~svnuser/.ssh/authorized_keys to add permitted users via public key access and use the command feature of that file to start "svnserve --tunnel userA". This makes it so that locking, commits, etc. happen by userA, not svnuser.

Check out the svn book for more details. You can write a wrapper around svnserve to validate access based on unix groups as well (which is why I explored this avenue).

Ulrich Eckhardt wrote:
> Well, that's how it work: SVN+SSH just tunnels (file-)access over SSH. If
> they can login to the machine and use file:/// it is mostly the same.

That is not accurate. SVN+SSH does exactly what it sounds like - tunnels svnserve transactions across SSH. Everytime an ssh connection is initiated a svnserve process is started to handle it.

Hope that helps,

Eric

> -----Original Message-----
> From: Ulrich Eckhardt [mailto:eckhardt@satorlaser.com]
> Sent: Tuesday, January 09, 2007 3:51 AM
> To: users@subversion.tigris.org
> Subject: Re: block the file:/// access in AFS
>
> On Tuesday 09 January 2007 11:27, Riccardo-Maria Bianchi wrote:
> > I have this problem. I set up a SVN server and I want users access to it
> > only via SVN+SSH protocol.
>
> Okay.
>
> > The problem is that the repository directory is on our AFS (it must be
> > there) and AFS users can access to the repository via file:/// without
> > restriction.
>
> Well, that's how it work: SVN+SSH just tunnels (file-)access over SSH. If
> they
> can login to the machine and use file:/// it is mostly the same.
>
> > Can I block the file:/// access protocol, in order to use only the
> > svnserve?
>
> Wait, now you are using svnserve? I'm slightly puzzled, as I'm not really
> sure
> what you want...
>
> I would propose this:
> - Add a dedicated user 'svn' or 'svnserve'.
> - Using e.g. inetd, you start an svnserve process that serves the
> repositor(y|
> ies).
> - Normal users do not have read or write access to the files that make up
> the
> repository, all files are owned by the user of the svnserve process
> exclusively. Maybe a backup service does get access and administrative
> personal.
>
> Now, if you need SSH for security reasons, you can easily use it to create
> a
> tunnel from your host to the server, see the SSH manpage how to do that.
> In
> that case, the server otherwise only allows connections from trusted
> hosts.
> In the most extreme case that would only be localhost/127.0.0.1, i.e.
> users
> must always create a tunnel first or work directly on that machine. FYI,
> restricting this would be an inetd configuration, not svnserve.
>
> Uli
>
> **************************************************************************
> ************
> Visit our website at <http://www.satorlaser.de/>
> **************************************************************************
> ************
> Diese E-Mail einschließlich sämtlicher Anhänge ist nur für den Adressaten
> bestimmt und kann vertrauliche Informationen enthalten. Bitte
> benachrichtigen Sie den Absender umgehend, falls Sie nicht der
> beabsichtigte Empfänger sein sollten. Die E-Mail ist in diesem Fall zu
> löschen und darf weder gelesen, weitergeleitet, veröffentlicht oder
> anderweitig benutzt werden.
> E-Mails können durch Dritte gelesen werden und Viren sowie
> nichtautorisierte Änderungen enthalten. Sator Laser GmbH ist für diese
> Folgen nicht verantwortlich.
>
> **************************************************************************
> ************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 9 16:24:08 2007

This is an archived mail posted to the Subversion Users mailing list.