Re: Absolutely minimal file permissions for Subverison repository with Apache/DAV?

The reason for the 2755 permission setting in the example on that page is
to set the "setgid" bit on the directory.

From the Solaris man page for chmod (which has a much better explanation
of octal codes than the Linux man pages):

> 20#0 Set group ID on execution if # is 7, 5, 3, or 1.
> Enable mandatory locking if # is 6, 4, 2, or 0.
>
> For directories, files are created with BSD semantics for propagation
of the group ID. With this option, files and subdirectories created in
the directory inherit the group ID of the directory, rather than of the
current process. It may be cleared only by using symbolic mode.

This will mean that all objects will be created with www-data group
ownership - which will mean that they'll be readable by the webserver
process.

Dg.

--
David Grierson
JPMorgan - IB Architecture - Source Code Management Consultant
GDP 228-5574 / DDI +44 141 228 5574 / Email david.x.grierson_at_jpmorgan.com
Alhambra House 6th floor, 45 Waterloo Street, Glasgow G2 6HS
 
Ryan Schmidt <subversion-2008c_at_ryandesign.com> 
09/08/2008 06:15
To
Peter Michaux <petermichaux_at_gmail.com>
cc
users_at_subversion.tigris.org
Subject
Re: Absolutely minimal file permissions for Subverison repository with 
Apache/DAV?
On Aug 8, 2008, at 12:10, Peter Michaux wrote:
> I've set up a Subversion repository with svnadmin 1.4.2 on Debian
> Etch. (That is the stable version of Subversion on Debian.) The
> repository is /home/dev/repo and that directory and all its contained
> files have owner:group www-data:www-data with rwxr-x-r-x permissions.
> Does everything in the repository need to have write access for
> www-data:www-data user:group that Apache runs as on Debian?
>
> I found some slightly different repository file permission settings 
> here
>
> http://www.debian-administration.org/articles/374#comment_18
>
> In the permissions above, why do the directories need to have the
> leading "2" in their permissions?
>
> The permissions suggested in the above link are uniform for all files
> in the repository; however, when svnadmin creates the repository it
> seems to have various permission on various files.
>
> Does someone have a suggestion for a minimal set of file permissions
> and more restrictive ownership of the files in a repository so the
> www-data user can do the work it needs to do? For example to the hook
> template files need to be owned by www-data:www-data, etc?
I can't comment on instructions shown on that web site, but have you 
checked out the official documentation on the topic of permissions?
http://subversion.tigris.org/faq.html#reposperms
I don't think the hook scripts need to be owned by anyone in 
particular, so long as the user as whom the repository is served has 
permission to execute them.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Generally, this communication is for informational purposes only
and it is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation
of any transaction. In the event you are receiving the offering
materials attached below related to your interest in hedge funds or
private equity, this communication may be intended as an offer or
solicitation for the purchase or sale of such fund(s).  All market
prices, data and other information are not warranted as to
completeness or accuracy and are subject to change without notice.
Any comments or statements made herein do not necessarily reflect
those of JPMorgan Chase & Co., its subsidiaries and affiliates.
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to UK legal entities.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org