PDA

View Full Version : access right questions: jailroot & svnadmin & apache


schildhans
6th May 2009, 13:11
Hi,

I plan to install ISPConfig3 on my vServer but I have a few questions before which could not be answered by searching the internet.
I need to install for 3 clients also a SVN repository.
I plan to make a subdomain for each client called svn.domain.tld.
But I am not sure about the access rights.
I would like to give every user the possibility to log in over ssh (with chailroot)
that they can execute svnadmin create repositoryname.
But when accessing svn.domain.tld apache should deliver the repository with
WEBSvn (http://websvn.tigris.org/) and the repository should be registered with svn-access-manager.
Now I am not sure about two things:
- how can i make sure that the users can use the svnadmin command in the jail root?
- how have i set the user rights of the repository? Theoretically if the user creates it and the subdomain uses suexec the repository should be writeable for that user from within the php access manager?

I have no installation of ISPConfig3 here to test, so I have to do a complete switch.
Any suggestions on complete that task?

schildhans

till
6th May 2009, 20:06
1) add svnadmin to the list of jailed applications.
2) Setting up the user rights for the repository is not related to ispconfig, you should take a look at one of the the svn guides on the svn homepage.

schildhans
6th May 2009, 22:49
1) add svnadmin to the list of jailed applications.
2) Setting up the user rights for the repository is not related to ispconfig, you should take a look at one of the the svn guides on the svn homepage.

1) done, but the client allways gets unknown command for svnadmin. I have in chrooted applications /usr/bin/svnadmin and in app section svnadmin.
2) I thin I was not precise enough. I did not mean the access rights for the svn repository. What I mean is the following. Lets asume i have a user client1 with a domain svn.domain.tld where he wants to have his repository available.
I would configure apache like tis:

<Location /svn/repos>

DAV svn

SVNParentPath /path/top/his/home/repos

AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /path/top/his/home/svn-passwd
AuthzSVNAccessFile /path/top/his/home/svn-access
Require valid-user

SVNIndexXSLT /svnstyle/svnindex.xsl

</Location>

But the problem now is: apache has to have read & write access for the repository. But also client 1 has to have read & write access from its jailroot.
Because as far as I understand suExec works only for php execution but not for an access to dav svn. So apache does not run under the client1's user, or am I wrong?

till
7th May 2009, 12:01
1) This works only for new clients.
2) apache always runs under the apache user. But thats not a problem at all asll all repos can be owned by the apache user as the login permissions were handled in the svn-passwd
and do not depend on the file permissions and /path/top/his/home/repos
can be anywere on your server and has not to be in the home directory of the user as the user is able to access the repository by webdav and does not has to access the files directly.