Can I prevent a file from being modified?
Dear subversion, I have recently started a new post and I am in the process of investigating some possible new working practices. This particularly relates to document control. I have read in various places about the 'tagging' system (where by I can use a property to effectively 'name' a file) used by subversion and things such as svn:needs-lock that forces any user who tries to commit a change to a file to be asked to acquire the lock that the file holds. These almost fit my requirements, but not quite. What I require is a method where I can make the file truly 'read only' after a certain point. From what I have read in various places I thing I understand that... subversion reflects the unix style permissions on it's subdirectories, in the subversion directory tree. If I want to make a specific location 'read only' I need to do this from a new directory, and then files in this directory will acquire the permissions of the parent directory. subversion doesn't store the file permissions of a file directly it stores it within the svn:properties However if the above statement is correct this may not fill my requirements. Let me expand on my problem (situation). A group of users may be working on a file over time. At a certain point they all agree that the file is up to its required needs and they formally create a hard copy of this file, and store it as a controlled document (signed and counter signed blah blah blah). The finalised hard copy of the file must be an exact match of the copy stored electronically. All the users will be aware that this file shouldn't be change on the disk. But life being life when a user opens the file to print it they may inadvertently add a space in a paragraph, or an accidental carriage return, or worse how often have you been working on document1 when you get that phone call to ask about a specific part of the controlled document2, so you open the document to have a quick read and clarify the situation. Then you get distracted by something else and you return and start editing the document2, thinking you are editing document1. We all know it shouldn't happen but it does occasionally. What I want to be sure of is that even if this is done by accident there is no way that the file on disk in the subversion repository can be inadvertently changed. The svn:need-lock property combined with another personal property (something along the lines of CtrlDoc:DO_NOT_CHANGE TRUE ), unless there is an svn:read-only property that I am yet to come across! I feel that the combination of these properties and proper use of the Head, commit and branch strategies should enable myself and my users to ensure that these types of problems don't occur. Please help me clarify this so as I can propose the use of a subversion to my colleagues, and give eloquent and correct answers to any of their queries. Thanks in advance. David -- Tel: + 33 6 50 14 39 34 email: david.myers.24...@gmail.com Adresse: 56 Rue du Coteau du Parc, 91180 Saint Germain les Arpajon
Subversion access control
We are running svnserve on a Mac OS X. I can not get the subversion server to control access. I executed the server by this command: */usr/bin/svnserve --daemon --root=/var/svn --config-file=/var/svn/config/svnserve.conf* As long as file /var/svn/config/svnserve.conf contains the original line: *# anon-access = read* this command works: *svn info svn://localhost/sample* Of COURSE I don't want random hackers to have read access to my source code ! As soon as that line is changed to *anon-access = none* the error message comes back: *svn: No access allowed to this repository* (By the way, I originally changed the # to a space and got an error on that line. Apparently the keyword MUST start in the first column.) I have added this line to 'passwd' - *andy = canfield* I have added these lines to 'authz' - *[/sample] andy = rw* The documentation for 'svn' says that if you don't give a user name and password you will be prompted for them. I have never under an circumstances been prompted. Even this command fails with the same error message: *svn info --username=andy --password=canfield svn://localhost/sample*
Subversion: list of respositories
How do you get a list of repositories from svnserver? The only way I can figure out is: *ssh usern...@example.com sudo bash ls -ld /var/svn/** And, of course, this makes an assumption about where on the server the repositories are located. There 'ought' to be an easier way.
Subversion: via Apache
WHOA! Near as I can tell, if you have an apache2 server offering web sites http://example.com/alpha http://example.com/beta http://example.com/gamma and you configure the apache2 web server for Subversion support, suddenly you can no longer access alpha and beta and gamma. DOES SUBVERSION TAKE OVER THE ENTIRE APACHE SERVER? Apparently so. Yet the book makes no mention of this! Well, we can not have subversion stealing our apache server; after all we plan to use subversion to maintain a web site being hosted by that very server. So we'll have to use svnserve.
Subversion: Access control management
The file /var/svn/sample/README.txt says *This is a Subversion repository; use the 'svnadmin' tool to examine it. Do not add, delete, or modify files here unless you know how to avoid corrupting the repository.* but as far as I know there are no svnadmin tools to control access to the repository; the only way to control access to the repository is to manually edit the files in the 'conf' subdirectory, which the README.txt file tells you not to do.
Subversion: existing users
The most obvious authorization scheme is that of the host server; if there is a user named andy on that server with a password jackel then I would like to simply be able to talk to the subversion server as user named andy password jackel. This is how ssh and sftp work. But apparently subversion can't handle that. True?
Re: Subversion access control
On Sun, Jul 17, 2011 at 02:06, Andy Canfield andy.canfi...@pimco.mobi wrote: We are running svnserve on a Mac OS X. I can not get the subversion server to control access. I executed the server by this command: /usr/bin/svnserve --daemon --root=/var/svn --config-file=/var/svn/config/svnserve.conf As long as file /var/svn/config/svnserve.conf contains the original line: # anon-access = read this command works: svn info svn://localhost/sample Of COURSE I don't want random hackers to have read access to my source code ! As soon as that line is changed to anon-access = none the error message comes back: svn: No access allowed to this repository (By the way, I originally changed the # to a space and got an error on that line. Apparently the keyword MUST start in the first column.) I have added this line to 'passwd' - andy = canfield I have added these lines to 'authz' - [/sample] andy = rw The documentation for 'svn' says that if you don't give a user name and password you will be prompted for them. I have never under an circumstances been prompted. Even this command fails with the same error message: svn info --username=andy --password=canfield svn://localhost/sample Did you specify in svnserve.conf where your passwd authz files are located?
Re: Subversion: list of respositories
On Sun, Jul 17, 2011 at 02:06, Andy Canfield andy.canfi...@pimco.mobi wrote: How do you get a list of repositories from svnserver? The only way I can figure out is: ssh usern...@example.com sudo bash ls -ld /var/svn/* And, of course, this makes an assumption about where on the server the repositories are located. There 'ought' to be an easier way. There is, but only if you serve via Apache.
Re: Subversion: Access control management
On Sun, Jul 17, 2011 at 02:07, Andy Canfield andy.canfi...@pimco.mobi wrote: The file /var/svn/sample/README.txt says This is a Subversion repository; use the 'svnadmin' tool to examine it. Do not add, delete, or modify files here unless you know how to avoid corrupting the repository. but as far as I know there are no svnadmin tools to control access to the repository; the only way to control access to the repository is to manually edit the files in the 'conf' subdirectory, which the README.txt file tells you not to do. Your svnserve config file can be located anywhere svnserve has read permission on. Use the --config-file option to specify the full path. $REPOS/conf is merely the default location, and it's implied that a configuration should be editable as needed.
Re: Subversion access control
I don't know your needs, but have you considered using svn+ssh instead? This transfers authentication over to ssh, which simplifies things quite a bit. Since all it is doing it making a tunnel and then calling svnserve as the user logging in, you can still retain user based permissions. Matt Matthew Beals Michigan Technological University Department of Atmospheric Sciences 1400 Townsend Drive B019a Fisher Hall Houghton, MI 49931 mjbe...@mtu.edu - Original Message - From: Andy Canfield andy.canfi...@pimco.mobi To: users@subversion.apache.org Sent: Sunday, July 17, 2011 2:06:21 AM GMT -05:00 US/Canada Eastern Subject: Subversion access control We are running svnserve on a Mac OS X. I can not get the subversion server to control access. I executed the server by this command: /usr/bin/svnserve --daemon --root=/var/svn --config-file=/var/svn/config/svnserve.conf As long as file /var/svn/config/svnserve.conf contains the original line: # anon-access = read this command works: svn info svn://localhost/sample Of COURSE I don't want random hackers to have read access to my source code ! As soon as that line is changed to anon-access = none the error message comes back: svn: No access allowed to this repository (By the way, I originally changed the # to a space and got an error on that line. Apparently the keyword MUST start in the first column.) I have added this line to 'passwd' - andy = canfield I have added these lines to 'authz' - [/sample] andy = rw The documentation for 'svn' says that if you don't give a user name and password you will be prompted for them. I have never under an circumstances been prompted. Even this command fails with the same error message: svn info --username=andy --password=canfield svn://localhost/sample
Re: Can I prevent a file from being modified?
On 7/16/11 3:14 PM, David Myers wrote: Dear subversion, I have recently started a new post and I am in the process of investigating some possible new working practices. This particularly relates to document control. I have read in various places about the 'tagging' system (where by I can use a property to effectively 'name' a file) used by subversion and things such as svn:needs-lock that forces any user who tries to commit a change to a file to be asked to acquire the lock that the file holds. These almost fit my requirements, but not quite. What I require is a method where I can make the file truly 'read only' after a certain point. From what I have read in various places I thing I understand that... subversion reflects the unix style permissions on it's subdirectories, in the subversion directory tree. If I want to make a specific location 'read only' I need to do this from a new directory, and then files in this directory will acquire the permissions of the parent directory. subversion doesn't store the file permissions of a file directly it stores it within the svn:properties However if the above statement is correct this may not fill my requirements. Let me expand on my problem (situation). A group of users may be working on a file over time. At a certain point they all agree that the file is up to its required needs and they formally create a hard copy of this file, and store it as a controlled document (signed and counter signed blah blah blah). The finalised hard copy of the file must be an exact match of the copy stored electronically. All the users will be aware that this file shouldn't be change on the disk. But life being life when a user opens the file to print it they may inadvertently add a space in a paragraph, or an accidental carriage return, or worse how often have you been working on document1 when you get that phone call to ask about a specific part of the controlled document2, so you open the document to have a quick read and clarify the situation. Then you get distracted by something else and you return and start editing the document2, thinking you are editing document1. We all know it shouldn't happen but it does occasionally. What I want to be sure of is that even if this is done by accident there is no way that the file on disk in the subversion repository can be inadvertently changed. The svn:need-lock property combined with another personal property (something along the lines of CtrlDoc:DO_NOT_CHANGE TRUE ), unless there is an svn:read-only property that I am yet to come across! I feel that the combination of these properties and proper use of the Head, commit and branch strategies should enable myself and my users to ensure that these types of problems don't occur. Please help me clarify this so as I can propose the use of a subversion to my colleagues, and give eloquent and correct answers to any of their queries. First, subversion provides mechanisms to check for changes against a specified revision and to retrieve specified revisions into your working copy. Perhaps you can formalize the way you specify the revision(s) you want to be using or add checks for changes in files subsequent revisions in your workflow and relax the requirement to disallow changes. Version control systems are more about tracking changes than preventing them. If you ask for a specific revision it will always be the same regardless of changes in subsequent changes. Tags are sort-of a special case of this where a directory at a certain revision is copied to a name where you reference it more easily - but you'd get exactly the same results if you retrieved the source directory of the tag copy and specified the revision number. Because of the way tags are used, they are normally not modified after the copy that creates them, either just by convention or by a pre-commit hook that disallows changes to existing files. If you want to tweak things at that level, you could modify your pre-commit hook script to prevent changes to any files you want. -- Les Mikesell lesmikes...@gmail.com
Re: Can I prevent a file from being modified?
On Sat, Jul 16, 2011 at 1:14 PM, David Myers david.myers.24...@gmail.com wrote: Dear subversion, I have recently started a new post and I am in the process of investigating some possible new working practices. This particularly relates to document control. No matter how good or what features you have in SVN or some other system like it, there is the chance that after the document is checked out it is modified. I think you need to have workflow and practices to prevent and detect a change that might happen outside of svn. A couple things I can think of are (1) COmpute the MD5 checksum and store that as a seporate text file. If ever you find the MD5 and the document no longer match you know one of them is changed. (2) many document file formats and be set to disallow edits. PDF can bet set this way. WithSVN I think all you need is a way to DETECT changes because you can always back them out if you know the change was made. An MD5 checksum is a good way to detect changes -- Chris Albertson Redondo Beach, California
Re: Can I prevent a file from being modified?
On Jul 16, 2011, at 15:14, David Myers wrote: From what I have read in various places I thing I understand that... subversion reflects the unix style permissions on it's subdirectories, in the subversion directory tree. If I want to make a specific location 'read only' I need to do this from a new directory, and then files in this directory will acquire the permissions of the parent directory. subversion doesn't store the file permissions of a file directly it stores it within the svn:properties Where did you read this? I don't think any of that is true. Subversion does not store permissions. There is no such thing as svn:properties. The only permission Subversion can store is a file's execute bit; set the svn:executable property to an asterisk (*) to indicate the file should have the execute bit, or delete that property to indicate it should not.
Re: Can I prevent a file from being modified?
Ryan Schmidt wrote on Sun, Jul 17, 2011 at 15:35:20 -0500: On Jul 16, 2011, at 15:14, David Myers wrote: From what I have read in various places I thing I understand that... subversion reflects the unix style permissions on it's subdirectories, in the subversion directory tree. If I want to make a specific location 'read only' I need to do this from a new directory, and then files in this directory will acquire the permissions of the parent directory. subversion doesn't store the file permissions of a file directly it stores it within the svn:properties Where did you read this? I don't think any of that is true. Subversion does not store permissions. There is no such thing as svn:properties. The only permission Subversion can store is a file's execute bit; set the svn:executable property to an asterisk (*) to (any value will do; * is fine as long as one remembers to shell-quote it) indicate the file should have the execute bit, or delete that property to indicate it should not. Also, svn:needs-lock files will be checked out as read-only until they're svn locked. But we don't store permissions beyond that. (There are wrapper scripts that do so, but Subversion itself doesn't.)
Re: Subversion: via Apache
I removed the Location /svn block. No, Apache does not function. *telnet hk.pimco.mobi 80 Trying 202.181.201.137... Connected to hk.pimco.mobi. Escape character is '^]'. HEAD / HTTP/1.0* (pressed Enter twice) *Connection closed by foreign host.* In my last message I did not include the Apache version number; the output of '/usr/sbin/httpd -v' is: *Server version: Apache/2.2.14 (Unix) Server built: Feb 10 2010 22:22:39* Is there any way to check the version number of the SVN modules if they are not working? On 07/17/2011 08:15 PM, Andy Levy wrote: Strip your httpd.conf.subversion down to ONLY load the modules. Do not include theLocation /svn block. Does Apache function? Telnet to hk.pimco.mobi on port 80 and enter the following: HEAD / HTTP/1.0 Then ENTER twice. You should get an HTTP/1.1 200 OK response (see http://tonycode.com/wiki/index.php?title=Making_HTTP_requests_via_telnet for more details on this). If this doesn't work, then you likely have a difference between the version of Apache you're running and the SVN modules. They need to be built using the same version of APR, IIRC.
Re: Subversion: via Apache
Test your config with -t
Re: Subversion: list of respositories
Please Reply to All to keep discussion on the list. List convention is to bottom-post and quote inline. Please do not top-post. On Sun, Jul 17, 2011 at 22:29, Andy Canfield andy.canfi...@pimco.mobi wrote: If I set up http://example.com/svn to be a way to use apache to communicate with the svn service on the example.com server then is pointing my browser to http://example.com/svn; supposed to give me some kind of web page? Because I do not remember seeing anything about that in the book. You're looking for SVNParentPath. http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html On 07/17/2011 07:07 PM, Andy Levy wrote: On Sun, Jul 17, 2011 at 02:06, Andy Canfieldandy.canfi...@pimco.mobi wrote: How do you get a list of repositories from svnserver? The only way I can figure out is: sshusern...@example.com sudo bash ls -ld /var/svn/* And, of course, this makes an assumption about where on the server the repositories are located. There 'ought' to be an easier way. There is, but only if you serve via Apache.
Re: Subversion: list of respositories
On Sun, Jul 17, 2011 at 8:07 AM, Andy Levy andy.l...@gmail.com wrote: On Sun, Jul 17, 2011 at 02:06, Andy Canfield andy.canfi...@pimco.mobi wrote: How do you get a list of repositories from svnserver? The only way I can figure out is: ssh usern...@example.com sudo bash ls -ld /var/svn/* And, of course, this makes an assumption about where on the server the repositories are located. There 'ought' to be an easier way. There is, but only if you serve via Apache. Even then, it won't find repositories that are not built into the Apache layout or the elevant parent directory.
Re: Subversion: via Apache
On Sun, Jul 17, 2011 at 22:29, Andy Canfield andy.canfi...@pimco.mobi wrote: I removed the Location /svn block. No, Apache does not function. telnet hk.pimco.mobi 80 Trying 202.181.201.137... Connected to hk.pimco.mobi. Escape character is '^]'. HEAD / HTTP/1.0 (pressed Enter twice) Connection closed by foreign host. In my last message I did not include the Apache version number; the output of '/usr/sbin/httpd -v' is: Server version: Apache/2.2.14 (Unix) Server built: Feb 10 2010 22:22:39 Is there any way to check the version number of the SVN modules if they are not working? If Apache isn't working at all with your Location block ripped out, then the problem is the modules themselves. Rather than trying to figure out what versions you have now, just remove what you have replace with a version compiled with an APR version that matches your Apache installation. If you installed both Subversion Apache via your distro's packaging system, this should have all been taken care of for you. On 07/17/2011 08:15 PM, Andy Levy wrote: Strip your httpd.conf.subversion down to ONLY load the modules. Do not include the Location /svn block. Does Apache function? Telnet to hk.pimco.mobi on port 80 and enter the following: HEAD / HTTP/1.0 Then ENTER twice. You should get an HTTP/1.1 200 OK response (see http://tonycode.com/wiki/index.php?title=Making_HTTP_requests_via_telnet for more details on this). If this doesn't work, then you likely have a difference between the version of Apache you're running and the SVN modules. They need to be built using the same version of APR, IIRC.
Re: Subversion: list of respositories
On Sat, Jul 16, 2011 at 11:06 PM, Andy Canfield andy.canfi...@pimco.mobiwrote:
**
How do you get a list of repositories from svnserver? The only way I can
figure out is:
*ssh usern...@example.com
sudo bash
ls -ld /var/svn/**
And, of course, this makes an assumption about where on the server the
repositories are located. There 'ought' to be an easier way.
Andy,
I read (skimmed) all your posts, and I'm a little confused but I think I
know where you're going. I'm not sure if you're using Apache to serve your
repositories. If you are, you should check out this:
http://davidwinter.me/articles/2006/03/03/access-control-for-subversion-with-apache2-and-authz/
and this
https://help.ubuntu.com/community/Subversion
I recently followed the blog above and got everything setup how I think you
want it. You can control user access to multiple repos in three ways, the
blog explains it all, except one thing. I found that this is for
folder-level control on one repository:
[/]
@team = r
bob = rw
[/wowapp/trunk]
@team = r
@devteam = rw
brenda = rw
In my authz control file, multiple repositories are done like this (note the
repo name and colon):
[repoA:/]
@team = r
bob = rw
[repoB:/]
@team = r
@devteam = rw
brenda = rw
I also put websvn on it, and use the configuration option
$config-useAuthenticationFile('/path/to/your/authz/file');
which I found on this stackoverflow
QAhttp://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn
.
http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn
Re: Subversion: via Apache
On 7/17/11 9:41 PM, Andy Levy wrote: Rather than trying to figure out what versions you have now, just remove what you have replace with a version compiled with an APR version that matches your Apache installation. If you installed both Subversion Apache via your distro's packaging system, this should have all been taken care of for you. The packages may depend on the distribution. For example, for Red Hat or Centos it would be httpd, subversion, and mod_dav_svn, and you'd get a snippet of the httpd config in /etc/httpd/conf.d/subversion.conf where you can customize the setup. -- Les Mikesell lesmikes...@gmail.com
Re: Subversion: via Apache
On Sun, Jul 17, 2011 at 11:07 PM, Les Mikesell lesmikes...@gmail.com wrote: On 7/17/11 9:41 PM, Andy Levy wrote: Rather than trying to figure out what versions you have now, just remove what you have replace with a version compiled with an APR version that matches your Apache installation. If you installed both Subversion Apache via your distro's packaging system, this should have all been taken care of for you. The packages may depend on the distribution. For example, for Red Hat or Centos it would be httpd, subversion, and mod_dav_svn, and you'd get a snippet of the httpd config in /etc/httpd/conf.d/subversion.conf where you can customize the setup. The reference to /etc/apache2/httpd.conf indicates that it's probably Debian or Ubunty. Red Hat correctly refers to it as httpd. -- Les Mikesell lesmikes...@gmail.com
