Subversion & SVN+SSH Permissions
Even though userone is not a member of the myproject group, userone can checkout the whole repository.
The repositories are probably world-readable. You can change that by running
sudo chmod -R o-rws /svn/myproject
(Is this because userone is member of the sudo group?)
No, membership of the sudo
group just means that you can gain root privileges through sudo
. SVN wouldn't take advantage of that. (But, more generally, if a user has root privileges on a machine, they can read anything on it, you can't stop them.)
usertwo is a member of the myproject group, but cannot commit to the repository
What probably happened is that userone
committed some new files to the repository and they end up owned by him and not writeable by the project group.
The usual solution to this is to make all the directories inside the project have the setgid bit set. That will force all files created inside them be owned by the project group.
sudo chmod -R g+s /svn/myproject
Then you also need to make sure that everyone's umask is set to 002, so that files will be group-writeable by default.
This all gets quite complicated, and fragile, so it may be easier to serve the SVN repository via https
only.
Related videos on Youtube
NetStudent
Updated on September 18, 2022Comments
-
NetStudent over 1 year
I want to set up some Subversion repositories, to be accessed via SVN+SSH, so that each repository is owned by a different group and is only accessible for reading and writing by the group's members. This is what I did so far:
sudo addgroup myproject sudo mkdir -p /svn/myproject sudo svnadmin create /svn/myproject sudo chown -R :myproject /svn/myproject sudo chmod -R g+rws /svn/myproject
However, something with my setup is not working properly...
- Even though
userone
is not a member of themyproject
group,userone
can checkout the whole repository. (Is this becauseuserone
is member of thesudo
group?) usertwo
is a member of themyproject
group, but cannot commit to the repository due to an error:permission denied while accessing /svn/myproject/db/revprops/__something__/__something__
Point 1) is an issue because it may mean everyone with shell access to the machine can checkout the code. Point 2) is problematic because a user with (apparently) the right permissions can't commit to the repository.
What am I doing wrong in this setup?
- Even though
-
vladr almost 9 yearsYou don't need to set everyone's umask to 002 if you enable ACLs on the filesystem and
sudo setfacl -Rm d:g::rwX,g::rwX repo_dir/db