4

The aim is to set up subversion with both svnserve and apache/webdav access.

When users commit via http/apache, files are written to the filesystem and belong to apache user.

When users commit via svn/svnserve, files are written to the filesystem and belong to root user.

I tried to set up apache as a svnserve user without improvement :


cat /pathto/repo/conf/passwd
[users]
apache = XxXxXxX

 cat /pathto/repo/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = passwd


[sasl]
use-sasl = false

svn: Commit failed (details follow):
svn: Can't move '/pathto/repo/db/txn-protorevs/1091-ux.rev' 
to '/pathto/repo/db/revs/1/1092': Permission denied

Indeed, root is the owner of the directory, I wanted apache.


ls -ld /pathto/repo/db/revs/1/
drwxr-s--- 2 root svn 4096 Jul 17 15:25 /pathto/repo/db/revs/1/

For now I use the following workaround :


chown -R apache /pathto/repo/db/

Does anyone have a clean solution to run svnserve?

update 1 : svnserve is ran as a standalone service

update 2 : Here is /etc/sysconfig/svnserve content :


OPTIONS="--threads --root /pathto "

update 3 : I agree with JvO : using http/apache/webdav as the only access system would be much simpler. Unfortunately, a third party software has only svn:// binding and no http:// binding.

update 4 : Modifying svnserve init script should work, but does anyone has another idea?

update 5 : Added bounty : Looking for an elegant workaround

  • Bounty on http://serverfault.com/questions/7698/how-can-i-adjust-subversion-repository-file-permissions-automatically-for-use-w ended without drawing attention –  Jul 18 '13 at 09:23
  • I am just curious as to what is not elegant about modifying the startup script to make the daemon run as the correct user? – Doon Jul 28 '13 at 16:50
  • I am not saying it is not elegant. –  Jul 29 '13 at 09:39

2 Answers2

5

Clearly, your svnserve process runs as root. So change the configuration to run that process as some non-privileged user (it's not clear exactly how svnserve is started from your description; could be xinetd or something else).

Securety-wise, the best approach IMO would be to add both apache and the snvserve user to a common group (like 'svn') and change the permissions on your repository to drwxrws--- (that is, group permissions are 'sticky')

JvO
  • 541
  • 2
  • 9
  • thanks. svnserve is ran standalone. According to man svnserve there is no option to run as a specific user. I would have expected svnserve to drop privilege once a user is connected but it doesn't seem to be the case. Any clean way to run non-privileged? –  Jul 17 '13 at 20:18
  • If I change permissions to drwxrws---, won't there be new files with drwxr-s--- permissions? (+1 for quick answer) –  Jul 17 '13 at 20:20
  • To runsvnserve as a different user, you may consider using 'su' while starting it, or 'setuidgid' from Bernstein's daemontools (http://cr.yp.to). And no, a sticky group bit on a directory won't set the sticky bit on files, but it will force files to have the same group as the directory. In addition, subdirectories will become sticky as well. – JvO Jul 17 '13 at 20:33
  • So changing the permission implies doing chmod -R on a regular basis, as new files/directotories won't be group writable? –  Jul 18 '13 at 07:43
  • Nope, only once. You have to make sure your umask is correct (0007 in this case), for both the svnserver process and apache (see the manual pages). But the more you ask... isn't it simpler to just use 1 access system? In my experience, using Apache's webdav is far easier to maintain and works with all clients. – JvO Jul 18 '13 at 12:19
4

You should be able to modify your svnserv startup script to run as a different user. take a look at https://gist.github.com/dexterbt1/905615 with the relevant part being 

start() {
        echo -n $"Starting $desc ($prog): "
    daemon --user $USER $prog -d $OPTIONS
    RETVAL=$?
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
    echo
}

and then you should just be able to set USER in /etc/sysconfig/subversion to the user you would like to run as. I would also echo @JVQ suggestion about running as a user with common group (ie create svn user, with svn group make daemon run as user svn, and then then added apache user to svn group)

Doon
  • 1,441
  • 9
  • 9