subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ulf Seltmann <seltm...@digitalzone.de>
Subject Re: dav-svn in multihost environments, but safe
Date Mon, 26 Jul 2010 09:55:30 GMT
Am 24.07.2010 04:46, schrieb Nico Kadel-Garcia:
> On Fri, Jul 23, 2010 at 6:25 AM, Ulf Seltmann<seltmann@digitalzone.de>  wrote:
>> Hello all,
>>
>> i'm hav a multihost environment and i want to provide svn access for
>> arbitrary customers via dav_svn. is there a solution to have the
>> svn-directories of the users only available to the unix-users of the
>> customer instead to make them writable to the apache user (which mod_dav_svn
>> is using due to the fact that its an apache-module?
>
> Yes. Switch *EVERYONE* to ssh+svn for protected access,
No. thats not acceptable, because every user that needs access tho the 
svn needs an pam-, respektively unix-account. the administrative expense 
would be to high. i want my customers to add/remove the svn-users via 
.htpasswd/webfrontend

> because https and http and svn access all still have the issue of the UNIX or Linux
> clients saving passwords in cleartext, with no way for the server to
> prevent it. Or insist that UNIX users also use https: there is no
> reasonable excuse for providing direct write access to the repository
> as other users.
only https is allowed for svn

>> maybe it is possible to use cgi-access to svnserve to use suexec?
>
> It gets tricky. ssh+svn allows you to channel all access to go through
> a particular 'uid' that has the correct permissions set to be able to
> write to the repository. It's possible to set the repository
> permissions with group permissions, and directory permissions of 4775,
4770! no reason to give all read access
> to have a shared group of which the "apache" user is a member. But I
> prefer, very strongly, to force the Subversion repository to be owned
> by a single user for management and permissions control.
Yes me too. But as i mentioned above: its a no go. i will not add an 
unix-account for every silly user my customers want to have access to 
their svn. although i don't want to give writepermissions to 
apache-group 'cause its a potential securityrisk i cant estimate. i have 
to add the unix-user to that group too and so the user has theoretically 
access th all svn directories set up like this.

ciao
ulf

Mime
View raw message