3

I have 2 users: Alice and Bob and 2 groups: Management and Personnel. Alice has primary group Management, and secondary groups Personnel and Alice. Bob has primary group Personnel and secondary group Bob.

Now they both need read/write access to the local Subversion repository in /var/svn/new-project/. The problem is that when Alice commits to the repository Bob can't commit to it anymore, due to the fact that he's not in Management group, which is Alice's primary group.

My question: how to enable both to read and write to the repository without messing up the permissions, while keeping them in separate primary groups, without chmod'ing the repo dir to 777 and without running a cronjob which fixes the permissions every minute?

vincent.io
  • 935
  • 3
  • 8
  • 23

3 Answers3

3

Use ACLs (Access Control Lists). Documentation is here: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-acls.html

Example for your setup:

setfacl --recursive -m u:Alice:rwx /var/svn/new-project/
setfacl --recursive -m u:Bob:rwx /var/svn/new-project/
weeheavy
  • 4,039
  • 1
  • 27
  • 41
  • I'm afraid this is not working, because the new ACL doesn't seem to apply to new files in the repo. For example, the db/revs/0/50 file is created when revision 50 is committed by Alice. Bob can't access this file as it does not have the ACL rights for Bob. Somehow the ACL needs to be made sticky or something? – vincent.io Nov 01 '11 at 16:44
  • Oh, I'm sorry. You probably need to set a default ACL on the base directory that gets inherited by every subdirectory like this: setfacl -d -m u:Alice:rwx /var/svn/new-project/ and the same for user Bob. – weeheavy Nov 02 '11 at 07:58
3

You probably want to enable the setgid bit on the directory and set the group of the directory to be a common group (in this case, Personnel). setuid/setgid on a directory forces files created under it to be given the owner/group of the directory.

James O'Gorman
  • 5,249
  • 2
  • 23
  • 28
  • This is working great! Surprising how setuid/setgid is something entirely different on directories than on executables. Thanks! – vincent.io Nov 02 '11 at 09:34
2

Make the repository folder-structure owned by group Personnel.

Permissions on 770 and make sure both users have a 00x umask.

(If needed wrap the subversion client in a a small script that sets the umask to 00x before use.)

Unless your subversion client does something unusual with the file-permissions when updating the repository this should be sufficient.

Tonny
  • 6,252
  • 1
  • 17
  • 31