Re: security and file permissions

Hi Steven!

> I want to establish per-directory read-write access. I can
> do this as per ch. 6 of the documentation. But I am running
> everything on an svn+ssh basis, with the umask = 002 so
> that every file in db/revs has permissions 664.

What speaks against umask 007?

How did you set up svn+ssh? There are many options. Does every user
has his own account? And every user can just log into that server via
ssh? That I would not do.

Here is how I set up a server at my company just last week :-)

I created a user "svn" and a group "svn". The only user in group "svn"
is user "svn". This user and group can't do anything in the system
except access the svn repos. My repos all belong to user and group
svn. Read access for others is prohibited (umask 007).

And then I did set up "shared accounts" as described in the svnbook.
Now every user who wants to have access to the repositories has to
give me a public key which I then insert into
/home/svn/.ssh/authorized_keys
in exactly the way how it is described in chapter 6, SSH configuration
tricks:
command="svnserve -t --tunnel-user=harry -r /path/to/repos/",no-port-forwarding,\
           no-agent-forwarding,no-X11-forwarding,no-pty \
           TYPE1 KEY1 harry@example.com

How does this sound?

           
Cheers, Ingo =;->

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Mar 29 20:26:30 2007