[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion access control / Linux users etc.

From: Andy Canfield <andy.canfield_at_pimco.mobi>
Date: Thu, 21 Jul 2011 18:54:47 +0700

More user/command interaction -

The commands to create the Subversion Repository Parent directory were
* sudo bash
     mkdir /data/svn
     chmod a+w /data/svn*
This created this directory:
* drwxrwxrwx 4 root 4096 2011-07-21 17:36 /data/svn/*

I ran this command as user root:
* svnadmin create /data/svn/sample*
and what I get is
* drwxr-xr-x 6 root 4096 2011-07-21 11:08 /data/svn/sample/*

I ran this command as user andy:
* svnadmin create /data/svn/example*
and what I got is
* drwxr-xr-x 6 andy 4096 2011-07-21 17:36 /data/svn/example/*

It concerns me that apache is running as user 'www-data' and niether of
these repositories are owned by, or even writable by, www-data. So I did
these commands:
* sudo bash
     su www-data
     svnadmin create geronimo*
The output of the last command was as follows:
* svnadmin: Repository creation failed
     svnadmin: Could not create top-level directory
     svnadmin: Can't create directory 'geronimo': Permission denied*
That surprises me; the /data/svn directory is writable by everyone. Ah well.

The browser, when pointing to http://localhost/svn/RepoName, gives this
* RepoName - Revision 0: /
     Powered by Subversion version 1.6.12 (r955767)*.
This is true whether RepoName is 'sample' or 'example'. Of course, the
only thing mod_dav_svn needs to do in this case is to read the
repository, and all files and directories are readable by everyone,
regardless of whether they are owned by root or andy.

So the browser access mechanism has no commands to control a repository,
only to describe it? Logically this might make sense; however I would
expect that http://localhost/svn would be capable of listing the
repositories and creating new repositories.. But when I point the
browser to http://localhost/svn I get this response:
* Forbidden
     You don't have permission to access /svn/ on this server.
     Apache/2.2.17 (Ubuntu) Server at localhost Port 80*
When I look at /var/log/apache2/error.log I see these lines:
* [Thu Jul 21 17:54:04 2011] [error] [client]
         Could not fetch resource information. [403, #0]
     [Thu Jul 21 17:54:04 2011] [error] [client]
         (2)No such file or directory: The URI does not contain the name
of a repository.
          [403, #190001]*
Ahah! So http://localhost/svn is NOT a valid Subversion URL. I was
mistaken when I thought someone said that the Apache browser interface
could give me a list of the repositories.

As Linux user 'andy'. Here goes:
* rm -rf .subversion
****svn info http://localhost/svn/sample --username='andy'
* Password for 'default' GNOME keyring:
     svn: OPTIONS of 'http://localhost/svn/sample': authorization failed:
         Could not authenticate to server: rejected Basic challenge
*The fact is that, as far as I know, I DON"T HAVE ANY %$#@! GNOME
KEYRING! So when it asked for the Password for 'default' GNOME keyring I
just pressed Enter. Then authenticiation failed.

OK, so I have completely removed the gnome-keyring package. I also had
to wipe out the ~/.gnome2/keywrings directory. Now to try again.

Wait. Wait some more. Go down to 7/11; buy a hot dog and some potato
chips. Come back home. It's been 20-30 minutes. Command still hasn't
completed. Nothing in /var/log/apache2/error.log. Just a dead svn
program. Had to kill -9.

When it comes to plants, some people have a green thumb; I have a brown
thumb. Looks like when it comes to Subversion I have a black thumb.
Received on 2011-07-21 13:55:35 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.