Bug#341438: subversion: please add svnserve option to only give read-only access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 tags 341438 + upstream fixed-upstream thanks Marc Haber wrote: > On Sat, Dec 03, 2005 at 01:46:19PM +, Max Bowsher wrote: > >>Uh... an -R (--read-only) option *ALREADY* exists. In fact, it has been >>deprecated in favour of a repository's svnserve.conf file. > > > ... and it is not documented in the svnserve man page. > > >>Please explain why it is desirable to control access through svnserve >>invocation, rather than by user identity. > > > $ grep svn .ssh/authorized_keys > from="192.168.123.92",command="svnserve -t -R" ssh-rsa > B3NzaC1yc2EBIwAAAQEAu0DKRi2tHpQcpFLuBqLvS/LbOnBTMlkprHuJSQeglX/LW1+gvh5OkmKD6CZDjJ/OCK6nGGJUf5ap33uLlXoHBifDetxr+p8xk2pcvUcV7hSWGRkVqHE+YA3TvonX8ga4YuX7F1Jwa21TUATXljbbdgbLMAx/oaUT98PN/XzF2nn/cAOslt6O6GR6asx4/xU3dCe69DpHeo6Fiq+1fJv0fmwiaUH5yF5uH4bzDMVebTiO0siKgVILPNMAuxo4W3osxXUdAM5xHs7ZL1X2ykFl3JPENKIGOfUm0MyaUATTOJunDfTHZiLKg/WKhXHYIOnCqPU5LIKMqWRJNFzMSwEwKQ== > [EMAIL PROTECTED] 2004-05-23 > > The key in question only grants read-only access to the repository, > and only if the request is received from 192.168.123.92. The account > itself can get r/w access from a shell. > > This is, for example, an issue on public systems where each individual > only gets a single account and doesn't want to expose the repository > r/w to a passphraseless key for automatic processes while still being > able to commit from a shell on the same account. OK, I'm convinced. svnserve -R undeprecated on Subversion trunk (1.4.0-dev), and backport to 1.3.0 proposed. Max. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Cygwin) iD8DBQFDkgGxfFNSmcDyxYARAkswAKCuvU7y72htEgt+ujhV7n8LcF/ydwCfRByn SukiM/kCMJDG1AwV/xOcTvI= =HIB8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#341438: subversion: please add svnserve option to only give read-only access
On Sat, Dec 03, 2005 at 01:46:19PM +, Max Bowsher wrote: > Uh... an -R (--read-only) option *ALREADY* exists. In fact, it has been > deprecated in favour of a repository's svnserve.conf file. ... and it is not documented in the svnserve man page. > > Please explain why it is desirable to control access through svnserve > invocation, rather than by user identity. $ grep svn .ssh/authorized_keys from="192.168.123.92",command="svnserve -t -R" ssh-rsa B3NzaC1yc2EBIwAAAQEAu0DKRi2tHpQcpFLuBqLvS/LbOnBTMlkprHuJSQeglX/LW1+gvh5OkmKD6CZDjJ/OCK6nGGJUf5ap33uLlXoHBifDetxr+p8xk2pcvUcV7hSWGRkVqHE+YA3TvonX8ga4YuX7F1Jwa21TUATXljbbdgbLMAx/oaUT98PN/XzF2nn/cAOslt6O6GR6asx4/xU3dCe69DpHeo6Fiq+1fJv0fmwiaUH5yF5uH4bzDMVebTiO0siKgVILPNMAuxo4W3osxXUdAM5xHs7ZL1X2ykFl3JPENKIGOfUm0MyaUATTOJunDfTHZiLKg/WKhXHYIOnCqPU5LIKMqWRJNFzMSwEwKQ== [EMAIL PROTECTED] 2004-05-23 The key in question only grants read-only access to the repository, and only if the request is received from 192.168.123.92. The account itself can get r/w access from a shell. This is, for example, an issue on public systems where each individual only gets a single account and doesn't want to expose the repository r/w to a passphraseless key for automatic processes while still being able to commit from a shell on the same account. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things."Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#341438: subversion: please add svnserve option to only give read-only access
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Marc Haber wrote: > Package: subversion > Version: 1.2.3dfsg1-2 > Severity: wishlist > > for some automatic processes invoked via ssh authentication (with an > ssh key restricted to svnserve -t in authorized_keys, for example, it > would be desireable to start up an svnserve process that will refuse > writing to the repository. This could be implemented by an -r command > line option, for example. Uh... an -R (--read-only) option *ALREADY* exists. In fact, it has been deprecated in favour of a repository's svnserve.conf file. Please explain why it is desirable to control access through svnserve invocation, rather than by user identity. Thanks, Max. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Cygwin) iD8DBQFDkaGqfFNSmcDyxYARAgweAKCS5gDvV1FOs99bQGZRHZe0EvhnLQCfdIds VTljE1lXzH8XzcWwCwCkQss= =kSrU -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#341438: subversion: please add svnserve option to only give read-only access
Package: subversion Version: 1.2.3dfsg1-2 Severity: wishlist Hi, for some automatic processes invoked via ssh authentication (with an ssh key restricted to svnserve -t in authorized_keys, for example, it would be desireable to start up an svnserve process that will refuse writing to the repository. This could be implemented by an -r command line option, for example. Greetings Marc -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.14.2-zgsrv Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1) Versions of packages subversion depends on: ii db4.2-util 4.2.52-20 Berkeley v4.2 Database Utilities ii libapr02.0.55-3 the Apache Portable Runtime ii libc6 2.3.5-8.1 GNU C Library: Shared libraries an ii libdb4.2 4.2.52-20 Berkeley v4.2 Database Libraries [ ii libexpat1 1.95.8-3 XML parsing C library - runtime li ii libldap2 2.1.30-12 OpenLDAP libraries ii libneon24 0.24.7.dfsg-3 An HTTP and WebDAV client library ii libssl0.9.80.9.8a-4 SSL shared libraries ii libsvn01.2.3dfsg1-2 shared libraries used by Subversio ii libxml22.6.22-2 GNOME XML library ii patch 2.5.9-2 Apply a diff file to an original ii zlib1g 1:1.2.3-8 compression library - runtime subversion recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
