[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: MOD_DAV_SVN + SVNSERVE_WRAPPER + file system rights

From: Nico Kadel-Garcia <nkadel_at_gmail.com>
Date: Mon, 25 Nov 2013 05:35:12 -0500

Gatting Apache to run suid processes and spawn mod_dav_svn processes
has never worked for me, but it's been a long time since I tried it.
It's also unnecessary in most setups: if the svn+ssh is owned by a
single designated user, such as an "svn" user, with SSH heys stored
for to apply the "ForceCommand" and set the particular svnserve user,
then there is a common user's credentials that the Apache daemon
merely needs write access to. That can be done with group permissions.

It's not as safe as you might like, since the Apache related group and
other hacked access to the web server could provide read and write
repository access But one can provide both means of access,
especially to share a publicly accessible repository.

On Mon, Nov 25, 2013 at 5:24 AM, <sbremal_at_hotmail.com> wrote:
> Correct, default SSH port is not open on the corporate firewall. I am sure there are workarounds, however having contractual obligations not sure I should try hard to be unorthodox.
>
> SSH + SVN is my favourite and will stay with it as the primary access method. If I could top it with HTTP access using the existing Unix authentication and authorization framework, I would be more than happy. After all Unix works for tens of years, why to change it???
>
> Other alternative would be to force Apache to spawn MOD_DAV_SVN processes as the authenticated user, wonder if it is possible, or has any inadvertent complications.
>
>
> B.
>
> ----------------------------------------
>> Date: Sat, 23 Nov 2013 01:07:16 +0200
>> From: d.s_at_daniel.shahaf.name
>> To: sbremal_at_hotmail.com
>> CC: users_at_subversion.apache.org
>> Subject: Re: MOD_DAV_SVN + SVNSERVE_WRAPPER + file system rights
>>
>> sbremal_at_hotmail.com wrote on Thu, Nov 21, 2013 at 18:37:21 +0000:
>>> I am very happy with the SSH + 'svnserve' access to my repositories,
>>> however due to firewall issues I need access through HTTP as well.
>>> What I do not want is to set up a 2nd authentication / authorization
>>> database.
>>
>> What are the "firewall issues", exactly? Why can't you use svn+ssh?
>> Can you run sshd on port 80 (which would allow you to use svn+ssh
>> without httpd at all)?
>>
>> Daniel
Received on 2013-11-25 11:39:26 CET

This is an archived mail posted to the Subversion Users mailing list.