[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache + SVN

From: Bruce Wilson <b-svn_at_toomuchblue.com>
Date: 2007-04-18 07:06:02 CEST

Ryan Schmidt wrote:
> I do see what you mean. But since you can configure DAV to be enabled
> or not on a per-vhost basis, the only protection the above seems to
> afford you is protection against bugs in the WebDAV module itself that
> would manifest themselves on the server as a whole regardless of its
> configuration. Granted, that may be a reasonable precaution. But if it
> were my server, I probably wouldn't be very concerned about it,
> especially if I kept my software up to date. I have a high degree of
> confidence in the security of Apache and its included modules, and the
> responsibility of its developers to release timely security updates as
> needs arise.
I guess I may be venturing from Due Caution into the realm of Borderline
Paranoia here.

>> Subversion requires Apache to have write access to the repository
>> directory. Bugzilla requires write access to several of its own
>> directories. Since the two Bugzilla sites are public-facing, linked
>> from multiple places and potentially turning up in search engines,
>> I'm uncomfortable having those sites running under a user who
>> potentially has access to the Subversion repository, holding private
>> and proprietary data. The only way I've seen to control this is to
>> run one instance of Apache as one user (perhaps "www-bugzilla") and
>> another instance as another user ("www-svn"), so I can assign
>> different permissions to each user.
>
> I think you have a point here. I can think of no way to restrict the
> Bugzilla installation so that it cannot access the files of your
> Subversion repository, short of running two Apaches under two
> different users as you suggest.
>
> You'd be protecting against theoretical bugs in Bugzilla that would
> enable an attacker to read any file the web server can read. But bugs
> like that certainly have surfaced in other popular web-based projects,
> so this concern is certainly not unfounded.
I saw a suggestion in the O'Reilly "Apache Cookbook" suggesting this
arrangement to protect one site from the WebDAV enabled on another.
Perhaps this solution is less warranted if all users with access to the
system are trusted? (E.G. me plus one guy who only writes reports, at
the moment).

> If you place that directive outside of any <VirtualHost> directives,
> it will apply to all virtual hosts. If you place the directive inside
> a <VirtualHost> directive, it applies only to that virtual host. This
> is at least an easy question to answer. :) Um... well, except that any
> modules you need for a particular vhost will have to be activated for
> all vhosts. So as you noticed above, mod_dav and mod_dav_svn will be
> loaded in memory, even for those workers that are only serving
> Bugzilla requests.
>
> Note too though that granting access to specific paths of a virtual
> host (for a normal web site like Bugzilla, with <Location> directives)
> is a different beast from allowing access to specific paths of a
> Subversion repository (which is usually handled with Subversion access
> files).
That's helpful. What about if Subversion is unavailable for some
reason? Might DAV kick in and allow general WebDAV operations? Or
would using the svn DAV module guarantee the site does nothing unless
Subversion is available?

> I've managed several multi-purpose Apache servers for a web hosting
> shop. It's not that bad. As long as you keep directives inside
> <VirtualHost> containers, they will apply only to that vhost.
>
> Originally I had all vhosts in a single vhosts.conf file which was
> included from the main httpd.conf file. Then later I found that you
> could have Apache automatically include all files in a given
> directory, and I split each site into its own include file in a vhosts
> directory. For sites that used both http and https (even where the
> http site just redirected all URLs to the https site), I kept both the
> http and https vhosts in the same configuration file because I found
> that more intuitive.
This is very helpful, and exactly part of the help I was looking for:
some guidance on good ways to arrange and organize the .conf files so I
can clearly see what applies to which site.

> As long as your questions are "how do I configure Apache to host my
> Subversion repository," this is a good place to ask. Things like
> starting multiple Apache instances and mod_rewrite rules start to go
> beyond what usually gets discussed here and you might have more luck
> on an Apache-oriented forum or list.
I will do that. Thanks for replying and pointing me in the right
directions.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Apr 18 07:07:14 2007

This is an archived mail posted to the Subversion Users mailing list.