[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Write Permission on repository may encourage UNIX user to tamper with repository (SSH)

From: Andy Levy <andy.levy_at_gmail.com>
Date: Thu, 15 May 2008 09:15:17 -0400

On Thu, May 15, 2008 at 6:56 AM, Sachidanand Shukla <shukla.68_at_gmail.com> wrote:
> I am a clearcase administrator with NCR Corp. and am currently persuing
> migration of Clearcase code to SVN.
> I am using svn+ssh to access repositories on Windows clients and server is
> on Solaris box.
> my problem is that i create a login for user on solaris box and ask him to
> access repository from Windows client, but as user has access to solaris box
> also (as his login is created there and repositories also reside there) he
> can temper with repositries because he belongs to the group to which
> repository belongs.
> i tried a lot but could not succeed in protecting it.
> I have configured svnserv (text file) to mask the repository path amnd URL
> does not disclose full path, but even then....
> i tried
> 1. Restricted shell
> 2. chroot is not possible as server is being used by other teams also
> 3. changed .profile etc etc.
> but all in vain.

This is actually documented in the manual. From

"When running over a tunnel, authorization is primarily controlled by
operating system permissions to the repository's database files; it's
very much the same as if Harry were accessing the repository directly
via a file:// URL. If multiple system users are going to be accessing
the repository directly, you may want to place them into a common
group, and you'll need to be careful about umasks."

Not a solution, just pointing out that it is documented that this is
how things are intended to be.

To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-05-15 15:15:49 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.