Re: Help with Mac repositry permissions
Hi Not really sure about mac.. but what I would do in linux would be: sudo find /path/to/repo -type f -exec chmod 660 {} \; sudo find /path/to/repo -type d -exec chmod 2770 {} \; sudo chown -R root.www-data /path/to/repo How do you remove the global permissions? What error message do you get? Cheers / Erik On Wed, Sep 8, 2010 at 8:40 AM, Matthew Allen wrote: > Hi I started a serverfault question about mac svn repo permissions: > > http://serverfault.com/questions/171647/what-are-the-correct-usergroup-for-a-mac-svn-apache-install > > But haven't got any response yet, anyone on here care to help? > > Regards > -- > Matthew Allen > >
Re: Help with Mac repositry permissions
On Sep 8, 2010, at 01:58, Erik Andersson wrote: > Not really sure about mac.. It's UNIX. > but what I would do in linux would be: > > sudo find /path/to/repo -type f -exec chmod 660 {} \; > sudo find /path/to/repo -type d -exec chmod 2770 {} \; > sudo chown -R root.www-data /path/to/repo The user and group apache runs under on Mac OS X 10.5 and later is _www. (On 10.4 and earlier it is www.) Unless he changed it in httpd.conf.
RE: Help with Mac repositry permissions
> Linedata Limited Registered Office: 85 Gracechurch St., London, EC3V 0AA Registered in England and Wales No 3475006 VAT Reg No 710 3140 03 -Original Message- > From: Matthew Allen [mailto:f...@memecode.com] > Sent: 08 September 2010 07:41 > To: users@subversion.apache.org > Subject: Help with Mac repositry permissions > > Hi I started a serverfault question about mac svn repo permissions: > http://serverfault.com/questions/171647/what-are-the-correct-u > sergroup-for-a-mac-svn-apache-install > > But haven't got any response yet, anyone on here care to help? > You don't really say what the problem is, not here or in the serverfault report. I know you have set up Apache but do you access the repository using the http:// protocol? Or do you use svn:// or file:// ? Also, what are the permissions of /Users ? Giulio
Re: Help with Mac repositry permissions
-- Original Message -- To: Matthew Allen (f...@memecode.com) From: Erik Andersson (kir...@gmail.com) Subject: Re: Help with Mac repositry permissions Date: 8/9/2010 4:58:47p > Hi > > Not really sure about mac.. but what I would do in linux would be: > > > sudo find /path/to/repo -type f -exec chmod 660 {} \; > sudo find /path/to/repo -type d -exec chmod 2770 {} \; > sudo chown -R root.www-data /path/to/repo > > > How do you remove the global permissions? The only difference I had to the above commands was: sudo find /path/to/repo -type d -exec chmod 770 {} \; I don't know what the "2" does in front of the 770. But it looks like it still works... so maybe thats all there is to it? > What error message do you get? If I removed the global permissions then I would not be able to access the repo via the https interface anymore. The exact error message escapes me though, it was a few weeks ago. So anyway I followed the above commands and it seems to be working from the local network... the big test will be tomorrow when I try and get to my repo from work. -- Matthew Allen
RE: Help with Mac repositry permissions
> Linedata Limited Registered Office: 85 Gracechurch St., London, EC3V 0AA Registered in England and Wales No 3475006 VAT Reg No 710 3140 03 -Original Message- > From: Matthew Allen [mailto:f...@memecode.com] > Sent: 08 September 2010 10:35 > To: Giulio Troccoli > Subject: RE: Help with Mac repositry permissions > > The problem is that I want to make sure this is secure, and > the fact that it seems to be using the webserver seems to be > using the global permissions indicates to me that the repo > files are not being correctly protected. If someone gets into > my machine then they can see the repo. I want to limit access > to a) the webserver process or b) a local terminal user. Please respond to the list as well, usually by clicking on Reply-All. Also, don't top-post. > Also the /Users folder perms is: > drwxr-xr-x 6 root admin 204 18 Aug 10:03 Users Now, there's your answer. The user that runs theweb server, _www, has permission to access /Users only becuase of the others permissions __r-x. You could change the ownership of /Users to _www but I guess the /Users contains also the home directories of your users so this woldn't be acceptable. Why don't you create a directory directly under / owned by _www and access by _www only, for example mkdir /repos chown _www /repos chmod 700 /repos cp -R /Users/Svn /repos Check that the permission of /repos/Svn are still correct and then amend your web server configuration file so that the repository points to /repos/Svn and not /Users/Svn Giulio
Re: Help with Mac repositry permissions
On Wed, Sep 08, 2010 at 07:47:28PM +1000, Matthew Allen wrote: > sudo find /path/to/repo -type d -exec chmod 770 {} \; > > I don't know what the "2" does in front of the 770. But it looks like it > still works... so maybe thats all there is to it? The 2 controls the sticky bit. Mode 2770 says read-write-execute permissions for user and group and the group sticky bit set to on. See the chmod(1) man page for details on what sticky bits do. tyler
Re: Help with Mac repositry permissions
On Sep 8, 2010, at 04:53, Giulio Troccoli wrote: >> Also the /Users folder perms is: >> drwxr-xr-x 6 root admin 204 18 Aug 10:03 Users > > Now, there's your answer. The user that runs theweb server, _www, has > permission to access /Users only becuase of the others permissions __r-x. > > You could change the ownership of /Users to _www but I guess the /Users > contains also the home directories of your users so this woldn't be > acceptable. > > Why don't you create a directory directly under / owned by _www and access by > _www only, for example > > mkdir /repos > chown _www /repos > chmod 700 /repos > cp -R /Users/Svn /repos > > Check that the permission of /repos/Svn are still correct and then amend your > web server configuration file so that the repository points to /repos/Svn and > not /Users/Svn Or consider using the existing web server hierarchy Apple already established. There's already /Library/WebServer/Documents (the document root) and /Library/WebServer/CGI-Executables (the cgi-bin); consider storing your repositories in /Library/WebServer/Subversion (there are some Google hits for this so someone else thought of this before).