[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: empty pre-commit hook fails with svn+ssh with some accounts

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Thu, 21 Jul 2011 10:51:13 -0400

On Thu, Jul 21, 2011 at 9:36 AM, Daniel Neuberger
<daniel.neuberger_at_gmail.com> wrote:
> We have a rather unique setup to meet certain requirements and as a
> result I can't get any hooks to work (even empty ones or ones that
> just exit with a zero return code).
>
> In short, we have a repository owned by one user that is accessed by
> tunneling over ssh to other user accounts.  To get around the
> permission issues, the setuid bit is set on /usr/bin/svnserve for the
> user that owns the repository.  Everything works fine except hooks
> regardless of what permissions I give them or what the script does.
> The hooks work fine though if I ssh to the user account that owns the
> repository rather than another user account (we can't operate that way
> though).
>
> Everything else from the other user accounts works fine.  Also,
> running the pre-commit hook from the other user accounts using an
> empty environment works fine too.
>
> All the scripts are bash scripts.  All systems are RHEL 5.5 using svn 1.4.

Stop *RIGHT* there. Go grab the Subverson 1.6.x from the RHEL updates.
Do not pass go, do not collect $200 until you do this sitewide. There
are significant security and performance improvements, well worth the
update pain.

That said, putting "suid" bits on svnserve is just begging for
confusing pain in a configuration that no one has been using. Can you
not use the svn+ssh shared account access, with SSH keys restricted to
svnserve tunnel access, as documented in the Subversion Red Book?
Received on 2011-07-21 16:51:46 CEST

This is an archived mail posted to the Subversion Users mailing list.