[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: dav-svn in multihost environments, but safe

From: Ulf Seltmann <seltmann_at_digitalzone.de>
Date: Mon, 26 Jul 2010 11:55:30 +0200

Am 24.07.2010 04:46, schrieb Nico Kadel-Garcia:
> On Fri, Jul 23, 2010 at 6:25 AM, Ulf Seltmann<seltmann_at_digitalzone.de> wrote:
>> Hello all,
>>
>> i'm hav a multihost environment and i want to provide svn access for
>> arbitrary customers via dav_svn. is there a solution to have the
>> svn-directories of the users only available to the unix-users of the
>> customer instead to make them writable to the apache user (which mod_dav_svn
>> is using due to the fact that its an apache-module?
>
> Yes. Switch *EVERYONE* to ssh+svn for protected access,
No. thats not acceptable, because every user that needs access tho the
svn needs an pam-, respektively unix-account. the administrative expense
would be to high. i want my customers to add/remove the svn-users via
.htpasswd/webfrontend

> because https and http and svn access all still have the issue of the UNIX or Linux
> clients saving passwords in cleartext, with no way for the server to
> prevent it. Or insist that UNIX users also use https: there is no
> reasonable excuse for providing direct write access to the repository
> as other users.
only https is allowed for svn

>> maybe it is possible to use cgi-access to svnserve to use suexec?
>
> It gets tricky. ssh+svn allows you to channel all access to go through
> a particular 'uid' that has the correct permissions set to be able to
> write to the repository. It's possible to set the repository
> permissions with group permissions, and directory permissions of 4775,
4770! no reason to give all read access
> to have a shared group of which the "apache" user is a member. But I
> prefer, very strongly, to force the Subversion repository to be owned
> by a single user for management and permissions control.
Yes me too. But as i mentioned above: its a no go. i will not add an
unix-account for every silly user my customers want to have access to
their svn. although i don't want to give writepermissions to
apache-group 'cause its a potential securityrisk i cant estimate. i have
to add the unix-user to that group too and so the user has theoretically
access th all svn directories set up like this.

ciao
ulf
Received on 2010-07-26 11:56:11 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.