Re: Help with Mac repositry permissions
Hi
Not really sure about mac.. but what I would do in linux would be:
sudo find /path/to/repo -type f -exec chmod 660 {} \;
sudo find /path/to/repo -type d -exec chmod 2770 {} \;
sudo chown -R root.www-data /path/to/repo
How do you remove the global permissions?
What error message do you get?
Cheers / Erik
On Wed, Sep 8, 2010 at 8:40 AM, Matthew Allen wrote:
> Hi I started a serverfault question about mac svn repo permissions:
>
> http://serverfault.com/questions/171647/what-are-the-correct-usergroup-for-a-mac-svn-apache-install
>
> But haven't got any response yet, anyone on here care to help?
>
> Regards
> --
> Matthew Allen
>
>
Re: Help with Mac repositry permissions
On Sep 8, 2010, at 01:58, Erik Andersson wrote:
> Not really sure about mac..
It's UNIX.
> but what I would do in linux would be:
>
> sudo find /path/to/repo -type f -exec chmod 660 {} \;
> sudo find /path/to/repo -type d -exec chmod 2770 {} \;
> sudo chown -R root.www-data /path/to/repo
The user and group apache runs under on Mac OS X 10.5 and later is _www. (On
10.4 and earlier it is www.) Unless he changed it in httpd.conf.
RE: Help with Mac repositry permissions
> Linedata Limited Registered Office: 85 Gracechurch St., London, EC3V 0AA Registered in England and Wales No 3475006 VAT Reg No 710 3140 03 -Original Message- > From: Matthew Allen [mailto:f...@memecode.com] > Sent: 08 September 2010 07:41 > To: users@subversion.apache.org > Subject: Help with Mac repositry permissions > > Hi I started a serverfault question about mac svn repo permissions: > http://serverfault.com/questions/171647/what-are-the-correct-u > sergroup-for-a-mac-svn-apache-install > > But haven't got any response yet, anyone on here care to help? > You don't really say what the problem is, not here or in the serverfault report. I know you have set up Apache but do you access the repository using the http:// protocol? Or do you use svn:// or file:// ? Also, what are the permissions of /Users ? Giulio
Re: Help with Mac repositry permissions
-- Original Message --
To: Matthew Allen (f...@memecode.com)
From: Erik Andersson (kir...@gmail.com)
Subject: Re: Help with Mac repositry permissions
Date: 8/9/2010 4:58:47p
> Hi
>
> Not really sure about mac.. but what I would do in linux would be:
>
>
> sudo find /path/to/repo -type f -exec chmod 660 {} \;
> sudo find /path/to/repo -type d -exec chmod 2770 {} \;
> sudo chown -R root.www-data /path/to/repo
>
>
> How do you remove the global permissions?
The only difference I had to the above commands was:
sudo find /path/to/repo -type d -exec chmod 770 {} \;
I don't know what the "2" does in front of the 770. But it looks like it still
works... so maybe thats all there is to it?
> What error message do you get?
If I removed the global permissions then I would not be able to access the repo
via the https interface anymore. The exact error message escapes me though, it
was a few weeks ago.
So anyway I followed the above commands and it seems to be working from the
local network... the big test will be tomorrow when I try and get to my repo
from work.
--
Matthew Allen
RE: Help with Mac repositry permissions
> Linedata Limited Registered Office: 85 Gracechurch St., London, EC3V 0AA Registered in England and Wales No 3475006 VAT Reg No 710 3140 03 -Original Message- > From: Matthew Allen [mailto:f...@memecode.com] > Sent: 08 September 2010 10:35 > To: Giulio Troccoli > Subject: RE: Help with Mac repositry permissions > > The problem is that I want to make sure this is secure, and > the fact that it seems to be using the webserver seems to be > using the global permissions indicates to me that the repo > files are not being correctly protected. If someone gets into > my machine then they can see the repo. I want to limit access > to a) the webserver process or b) a local terminal user. Please respond to the list as well, usually by clicking on Reply-All. Also, don't top-post. > Also the /Users folder perms is: > drwxr-xr-x 6 root admin 204 18 Aug 10:03 Users Now, there's your answer. The user that runs theweb server, _www, has permission to access /Users only becuase of the others permissions __r-x. You could change the ownership of /Users to _www but I guess the /Users contains also the home directories of your users so this woldn't be acceptable. Why don't you create a directory directly under / owned by _www and access by _www only, for example mkdir /repos chown _www /repos chmod 700 /repos cp -R /Users/Svn /repos Check that the permission of /repos/Svn are still correct and then amend your web server configuration file so that the repository points to /repos/Svn and not /Users/Svn Giulio
Re: Help with Mac repositry permissions
On Wed, Sep 08, 2010 at 07:47:28PM +1000, Matthew Allen wrote:
> sudo find /path/to/repo -type d -exec chmod 770 {} \;
>
> I don't know what the "2" does in front of the 770. But it looks like it
> still works... so maybe thats all there is to it?
The 2 controls the sticky bit. Mode 2770 says read-write-execute
permissions for user and group and the group sticky bit set to on.
See the chmod(1) man page for details on what sticky bits do.
tyler
Re: Help with Mac repositry permissions
On Sep 8, 2010, at 04:53, Giulio Troccoli wrote: >> Also the /Users folder perms is: >> drwxr-xr-x 6 root admin 204 18 Aug 10:03 Users > > Now, there's your answer. The user that runs theweb server, _www, has > permission to access /Users only becuase of the others permissions __r-x. > > You could change the ownership of /Users to _www but I guess the /Users > contains also the home directories of your users so this woldn't be > acceptable. > > Why don't you create a directory directly under / owned by _www and access by > _www only, for example > > mkdir /repos > chown _www /repos > chmod 700 /repos > cp -R /Users/Svn /repos > > Check that the permission of /repos/Svn are still correct and then amend your > web server configuration file so that the repository points to /repos/Svn and > not /Users/Svn Or consider using the existing web server hierarchy Apple already established. There's already /Library/WebServer/Documents (the document root) and /Library/WebServer/CGI-Executables (the cgi-bin); consider storing your repositories in /Library/WebServer/Subversion (there are some Google hits for this so someone else thought of this before).
