[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion: existing users

From: Andy Canfield <andy.canfield_at_pimco.mobi>
Date: Sat, 23 Jul 2011 15:27:34 +0700

On 07/21/2011 07:27 PM, Cooke, Mark wrote:
>> -----Original Message-----
>> From: Andy Canfield [mailto:andy.canfield_at_pimco.mobi]
>> Sent: 21 July 2011 13:19
>> To: nkadel_at_gmail.com
>> Cc: users_at_subversion.apache.org
>> Subject: Re: Subversion: existing users
>>
>>
>>
>> On 07/21/2011 05:55 PM, Andy Levy wrote:
>>
>> On Thu, Jul 21, 2011 at 06:12, Andy Canfield
>> <andy.canfield_at_pimco.mobi> <mailto:andy.canfield_at_pimco.mobi> wrote:
>>
>> ADDENDUM ...
>>
>> I used root to create the /data/svn directory.
>> Then, anticpiating problems,
>> I did a chmod to make it writable to all.
>>
>>
>> Giving global write permission will lead to problems as well.
>> Different problems, but problems nonetheless.
>>
>>
>> Later I ran svnadmin create /data/svn/sample
>> and it created an entire
>> repository directory tree under /data/svn. I
>> don't remember but I probably
>> ran it as root.
>>
>> I just now noticed that /data/svn/sample and
>> all the sub-directories and
>> files therein are owned by root and, usually,
>> writable only by root. This is
>> probably going to cause problems for Apache /
>> mod_dav_svn which, of course,
>> runs as the 'apache user' ("www-data") instead of root.
>>
>> Where did I go wrong? The manual talks about
>> commands but does not seem to
>> talk about what user is executing the command.
>> Do I have to run svnadmin as
>> www-data? Is there a way to create a repository
>> using my browser?
>>
>>
>> Your repository directory (the one you created with
>> svnadmin create)
>> should be owned by www-data (or whatever account your
>> server process
>> executes under). It doesn't matter whether you run
>> svnadmin create as
>> that user, or run it as another user and then change ownership.
>>
>>
>> OK, restart again. The new commands to create the
>> RepositoryParent directory are:
>> mkdir /data/svn
>> sudo chown www-data.www-data svn
> I don't use *nix much but shouldn't that be `chown -R ...`?

Nope, the format of that command on Linux is
     chown username.groupname fileselector
Generally chown has to be run as root in order to be allowed to change
the file owner. The command on OS X is nearly the same but the user and
group are separated by a colon, not a period.

>> This results in
>> drwxr-xr-x 3 www-data www-data 4096 2011-07-21 19:01 /data/svn
>> Here is the command I used to create a repository:
>> sudo -u www-data svnadmin create /data/svn/sample3
>> Now we have
>> drwxr-xr-x 6 www-data www-data 4096 2011-07-21 19:01
>> /data/svn/sample3
>> -rw-r--r-- 1 www-data www-data 229 2011-07-21 19:01
>> /data/svn/sample3/README.txt
>> etc.
>>
>> When I point my browser to http://localhost/svn/sample3 I
>> still get this short page:
>> sample3 - Revision 0: /
>> Powered by Subversion version 1.6.12 (r955767).
>> so I still suspect that the browser interface is incapable of
>> performing any action, including creating a repository, and
>> is also incapable of giving me a list of repositories.
> It WILL give you a list of reporsitories _under_a_parent_root_ IF you
> configure it correctly. Of course this tends to be easier (and less
> secure?) under windoze... As has been mentioned in other posts, you
> need to give mod_dav_svn TWO directives:
> SVNParentPath D:/svn/
> SVNListParentPath On
>
> What are you expecting the browser interface to give you? It provides a
> fairly simple, read-only interface to the repositories it is configured
> to serve. There are tools (ViewVC etc) that provide more functionality
> but general operation is NOT through the browser but a subversion client
> that happens to use https (etc) as the communication patheway. (I
> notice Andy Levy has addressed this point better than I)
>
> ~ mark c
>
I would like to comment here that I've given up the idea of
automatically giving repository access users with an existing login.
While it's not a problem now, it is quite possible that in the future
we'll have people with server logins but we don't wnat those people to
be able to see work in progress on advanced projects. Using the specific
http-based mechanisms we can keep advanced research projects away from
the eyes of people who shouldn't see it. Automatically granting access
to a user just because he has a login account was a bad idea.

Thank you all.
Received on 2011-07-23 10:38:40 CEST

This is an archived mail posted to the Subversion Users mailing list.