[Fusionforge-general] GForge/FusionForge developer access to SVN - WebDAV or ssh/svnserve better?
Roland Mas
lolando at debian.org
Tue Feb 24 10:31:05 CET 2009
Matt Kleffner, 2009-02-23 23:04:56 -0600 :
> This is good to know - I prefer the most secure solution. Currently
> I am setting up svn+ssh, although at the moment I am just trying
> "svn" - I have
>
> svn stream tcp nowait.400 scm-gforge /usr/bin/svnserve svnserve -i -r
> /var/lib/gforge/chroot
>
> in my /etc/inetd.conf - this came from running
>
> /usr/lib/gforge/plugins/scmsvn/bin/install-svn.sh configure
>
> When I try to checkout the siteadmin project (a svn repository has
> been created) from a different Debian lenny machine with
>
> svn checkout svn://admin@servername/svnroot/siteadmin
>
> I get no password prompt (thankfully this machine isn't on the
> internet)
That much is expected: inetd is set up to serve read-only access to
anonymous users.
> and svn: Can't open file
> '/var/lib/gforge/chroot/svnroot/siteadmin/format': Permission denied
>
> The permissions on this file are
>
> -r--rw-r-- 1 scm-gforge scm_siteadmin 2 2009-02-17 23:45
> /var/lib/gforge/chroot/svnroot/siteadmin/format
What are the permissions for the directories above?
/var/lib/gforge/chroot/svnroot/siteadmin in particular.
> Is this due to no write access for the user? I know that everything
> is commented out in the conf subdirectory files (authz, passwd, and
> svnserve.conf) - I'm not aware of how gforge provides/exports
> authentication files/databases (automatically?) to each repository
> for use with svnserve. It seems in this case I might have to edit
> one of these files by hand, but I'm wondering if I have to do this
> for every project and every user.
Is your project configured to be private or to disallow anonymous
checkouts? These would trigger a change in permissions that would
make the repositories unreadable for anyone but the members of the
appropriate group.
> In order to set up svn+ssh, is it absolutely required that I set up
> unix/shell accounts for forge users as well?
Well, ssh requires shell accounts. One could probably devise a way
to use only a handful of shared shell accounts, but that would be
convoluted and I'm not sure it would still be secure.
> I am trying to avoid the creation of unix accounts if
> possible. Maybe create a password for scm-gforge and change the its
> shell from /bin/false to /usr/bin/svnserve for project-level
> authentication? This doesn't sound like an elegant solution, but at
> the moment I don't see any other way other than creating unix
> accounts for each forge user.
The problem with shared accounts is that they're shared... and so,
you can't grant different permissions to different persons or group of
persons.
> Any info is appreciated. My apologies if I haven't properly RTFM.
Don't worry too much on that point: we need to write TFM before we
tell people to read it.
Roland.
--
Roland Mas
Au royaume des aveugles, il y a des borgnes à ne pas dépasser.
-- in Soeur Marie-Thérèse des Batignolles (Maëster)
More information about the Fusionforge-general
mailing list