[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Absolutely minimal file permissions for Subverison repository with Apache/DAV?

From: Toby Thain <toby_at_telegraphics.com.au>
Date: Mon, 11 Aug 2008 11:59:46 -0300

On 11-Aug-08, at 5:54 AM, david.x.grierson_at_jpmorgan.com wrote:

> The reason for the 2755 permission setting in the example on that
> page is
> to set the "setgid" bit on the directory.
>
> From the Solaris man page for chmod (which has a much better
> explanation
> of octal codes than the Linux man pages):
>
>> 20#0 Set group ID on execution if # is 7, 5, 3, or 1.
>> Enable mandatory locking if # is 6, 4, 2, or 0.
>>
>> For directories, files are created with BSD semantics for
>> propagation
> of the group ID. With this option, files and subdirectories
> created in
> the directory inherit the group ID of the directory, rather than
> of the
> current process. It may be cleared only by using symbolic mode.
>
> This will mean that all objects will be created with www-data group
> ownership

This is only relevant if processes *other* than the web server are
also operating on the repo, surely? (Unusual except for maintenance?)

--Toby

> - which will mean that they'll be readable by the webserver
> process.
>
> Dg.
> --
> David Grierson
> JPMorgan - IB Architecture - Source Code Management Consultant
> GDP 228-5574 / DDI +44 141 228 5574 / Email
> david.x.grierson_at_jpmorgan.com
> Alhambra House 6th floor, 45 Waterloo Street, Glasgow G2 6HS
>
>
>
>
> Ryan Schmidt <subversion-2008c_at_ryandesign.com>
> 09/08/2008 06:15
>
> To
> Peter Michaux <petermichaux_at_gmail.com>
> cc
> users_at_subversion.tigris.org
> Subject
> Re: Absolutely minimal file permissions for Subverison repository with
> Apache/DAV?
>
>
>
>
>
>
>
> On Aug 8, 2008, at 12:10, Peter Michaux wrote:
>
>> I've set up a Subversion repository with svnadmin 1.4.2 on Debian
>> Etch. (That is the stable version of Subversion on Debian.) The
>> repository is /home/dev/repo and that directory and all its contained
>> files have owner:group www-data:www-data with rwxr-x-r-x permissions.
>> Does everything in the repository need to have write access for
>> www-data:www-data user:group that Apache runs as on Debian?
>>
>> I found some slightly different repository file permission settings
>> here
>>
>> http://www.debian-administration.org/articles/374#comment_18
>>
>> In the permissions above, why do the directories need to have the
>> leading "2" in their permissions?
>>
>> The permissions suggested in the above link are uniform for all files
>> in the repository; however, when svnadmin creates the repository it
>> seems to have various permission on various files.
>>
>> Does someone have a suggestion for a minimal set of file permissions
>> and more restrictive ownership of the files in a repository so the
>> www-data user can do the work it needs to do? For example to the hook
>> template files need to be owned by www-data:www-data, etc?
>
> I can't comment on instructions shown on that web site, but have you
> checked out the official documentation on the topic of permissions?
>
> http://subversion.tigris.org/faq.html#reposperms
>
> I don't think the hook scripts need to be owned by anyone in
> particular, so long as the user as whom the repository is served has
> permission to execute them.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
> For additional commands, e-mail: users-help_at_subversion.tigris.org
>
>
>
>
> Generally, this communication is for informational purposes only
> and it is not intended as an offer or solicitation for the purchase
> or sale of any financial instrument or as an official confirmation
> of any transaction. In the event you are receiving the offering
> materials attached below related to your interest in hedge funds or
> private equity, this communication may be intended as an offer or
> solicitation for the purchase or sale of such fund(s). All market
> prices, data and other information are not warranted as to
> completeness or accuracy and are subject to change without notice.
> Any comments or statements made herein do not necessarily reflect
> those of JPMorgan Chase & Co., its subsidiaries and affiliates.
>
> This transmission may contain information that is privileged,
> confidential, legally privileged, and/or exempt from disclosure
> under applicable law. If you are not the intended recipient, you
> are hereby notified that any disclosure, copying, distribution, or
> use of the information contained herein (including any reliance
> thereon) is STRICTLY PROHIBITED. Although this transmission and any
> attachments are believed to be free of any virus or other defect
> that might affect any computer system into which it is received and
> opened, it is the responsibility of the recipient to ensure that it
> is virus free and no responsibility is accepted by JPMorgan Chase &
> Co., its subsidiaries and affiliates, as applicable, for any loss
> or damage arising in any way from its use. If you received this
> transmission in error, please immediately contact the sender and
> destroy the material in its entirety, whether in electronic or hard
> copy format. Thank you.
> Please refer to http://www.jpmorgan.com/pages/disclosures for
> disclosures relating to UK legal entities.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
> For additional commands, e-mail: users-help_at_subversion.tigris.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-11 17:00:25 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.