[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security features, path based authorization in subversion

From: vinay i <vinay.indresh_at_gmail.com>
Date: Mon, 25 Aug 2008 17:25:55 +0530

I even tried the svn+ssh tunnel with path based authorization. This worked
for me only when the permissions on repository was rw-rw-rw-. Depending on
the user and path to repos in authz file authorization worked either giving
access or complaining "authorization failed".
But when I put the permissions on repository as rw-r---- for users other
than those belonged to the group the error was *"Permission denied". *
I can't keep permisisons as rw-rw-rw- because users on the server can access
the file system directly.

-Vinay

On Mon, Aug 25, 2008 at 3:25 PM, vinay i <vinay.indresh_at_gmail.com> wrote:

> Thanks David.
> But my concern is when I use svnserve as a user and set permissions on the
> repository, to authenticate other users I will have to store users and
> corresponding passwords. This is a security concern. Can't we have a method
> where we don't have to store passwords?
>
> Vinay
>
>
> On Fri, Aug 22, 2008 at 9:17 PM, David Weintraub <qazwart_at_gmail.com>wrote:
>
>> n Fri, Aug 22, 2008 at 3:30 AM, vinay i <vinay.indresh_at_gmail.com> wrote:
>> > Hi
>> > I tired using svnserve and apache for security features and path based
>> > authorization. But when a user has access to the server (login to the
>> > server) all these authorization fails. He can access any path within the
>> > repository by file:/// access.
>>
>> Create a NEW user called "svnserve". Create a new group for this user
>> and call it "svnserve" too. Then, change all the files in the
>> repository to be owned by this user and this user's group with a
>> permission of "rw-r--r--" or even better "rw-r-----". Set this
>> svnserve's umask to "066". Then run your Subversion server as this
>> user. This way, developers can't read and write to the repository
>> using the "file:///" access.
>>
>> The only reason you should be using "file:///" access is if you have a
>> private repository, and you don't want to run the server. As soon as
>> more than one person needs access the repository, you should setup a
>> special subversion server user and give that user exclusive read and
>> write access on the repository.
>>
>> --
>> David Weintraub
>> qazwart_at_gmail.com
>>
>
>
>
Received on 2008-08-25 13:56:22 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.