[Fusionforge-general] GForge/FusionForge developer access to SVN - WebDAV or ssh/svnserve better?

Roland Mas lolando at debian.org
Tue Feb 24 10:31:05 CET 2009


Matt Kleffner, 2009-02-23 23:04:56 -0600 :

> This is good to know - I prefer the most secure solution. Currently
> I am setting up svn+ssh, although at the moment I am just trying
> "svn" - I have
>
> svn stream tcp nowait.400 scm-gforge /usr/bin/svnserve svnserve -i -r
> /var/lib/gforge/chroot
>
> in my /etc/inetd.conf - this came from running
>
> /usr/lib/gforge/plugins/scmsvn/bin/install-svn.sh configure
>
> When I try to checkout the siteadmin project (a svn repository has
> been created) from a different Debian lenny machine with
>
> svn checkout svn://admin@servername/svnroot/siteadmin
>
> I get no password prompt (thankfully this machine isn't on the
> internet)

  That much is expected: inetd is set up to serve read-only access to
anonymous users.

> and svn: Can't open file
> '/var/lib/gforge/chroot/svnroot/siteadmin/format': Permission denied
>
> The permissions on this file are
>
> -r--rw-r-- 1 scm-gforge scm_siteadmin 2 2009-02-17 23:45
> /var/lib/gforge/chroot/svnroot/siteadmin/format

  What are the permissions for the directories above?
/var/lib/gforge/chroot/svnroot/siteadmin in particular.

> Is this due to no write access for the user? I know that everything
> is commented out in the conf subdirectory files (authz, passwd, and
> svnserve.conf) - I'm not aware of how gforge provides/exports
> authentication files/databases (automatically?) to each repository
> for use with svnserve. It seems in this case I might have to edit
> one of these files by hand, but I'm wondering if I have to do this
> for every project and every user.

  Is your project configured to be private or to disallow anonymous
checkouts?  These would trigger a change in permissions that would
make the repositories unreadable for anyone but the members of the
appropriate group.

> In order to set up svn+ssh, is it absolutely required that I set up
> unix/shell accounts for forge users as well? 

  Well, ssh requires shell accounts.  One could probably devise a way
to use only a handful of shared shell accounts, but that would be
convoluted and I'm not sure it would still be secure.

> I am trying to avoid the creation of unix accounts if
> possible. Maybe create a password for scm-gforge and change the its
> shell from /bin/false to /usr/bin/svnserve for project-level
> authentication? This doesn't sound like an elegant solution, but at
> the moment I don't see any other way other than creating unix
> accounts for each forge user.

  The problem with shared accounts is that they're shared... and so,
you can't grant different permissions to different persons or group of
persons.

> Any info is appreciated. My apologies if I haven't properly RTFM.

  Don't worry too much on that point: we need to write TFM before we
tell people to read it.

Roland.
-- 
Roland Mas

Au royaume des aveugles, il y a des borgnes à ne pas dépasser.
  -- in Soeur Marie-Thérèse des Batignolles (Maëster)




More information about the Fusionforge-general mailing list