Re: Help with Mac repositry permissions
Hi Not really sure about mac.. but what I would do in linux would be: sudo find /path/to/repo -type f -exec chmod 660 {} \; sudo find /path/to/repo -type d -exec chmod 2770 {} \; sudo chown -R root.www-data /path/to/repo How do you remove the global permissions? What error message do you get? Cheers / Erik On Wed, Sep 8, 2010 at 8:40 AM, Matthew Allen f...@memecode.com wrote: Hi I started a serverfault question about mac svn repo permissions: http://serverfault.com/questions/171647/what-are-the-correct-usergroup-for-a-mac-svn-apache-install But haven't got any response yet, anyone on here care to help? Regards -- Matthew Allen
Re: Help with Mac repositry permissions
On Sep 8, 2010, at 01:58, Erik Andersson wrote: Not really sure about mac.. It's UNIX. but what I would do in linux would be: sudo find /path/to/repo -type f -exec chmod 660 {} \; sudo find /path/to/repo -type d -exec chmod 2770 {} \; sudo chown -R root.www-data /path/to/repo The user and group apache runs under on Mac OS X 10.5 and later is _www. (On 10.4 and earlier it is www.) Unless he changed it in httpd.conf.
RE: Help with Mac repositry permissions
Linedata Limited Registered Office: 85 Gracechurch St., London, EC3V 0AA Registered in England and Wales No 3475006 VAT Reg No 710 3140 03 -Original Message- From: Matthew Allen [mailto:f...@memecode.com] Sent: 08 September 2010 07:41 To: users@subversion.apache.org Subject: Help with Mac repositry permissions Hi I started a serverfault question about mac svn repo permissions: http://serverfault.com/questions/171647/what-are-the-correct-u sergroup-for-a-mac-svn-apache-install But haven't got any response yet, anyone on here care to help? You don't really say what the problem is, not here or in the serverfault report. I know you have set up Apache but do you access the repository using the http:// protocol? Or do you use svn:// or file:// ? Also, what are the permissions of /Users ? Giulio
Re: Help with Mac repositry permissions
-- Original Message -- To: Matthew Allen (f...@memecode.com) From: Erik Andersson (kir...@gmail.com) Subject: Re: Help with Mac repositry permissions Date: 8/9/2010 4:58:47p Hi Not really sure about mac.. but what I would do in linux would be: sudo find /path/to/repo -type f -exec chmod 660 {} \; sudo find /path/to/repo -type d -exec chmod 2770 {} \; sudo chown -R root.www-data /path/to/repo How do you remove the global permissions? The only difference I had to the above commands was: sudo find /path/to/repo -type d -exec chmod 770 {} \; I don't know what the 2 does in front of the 770. But it looks like it still works... so maybe thats all there is to it? What error message do you get? If I removed the global permissions then I would not be able to access the repo via the https interface anymore. The exact error message escapes me though, it was a few weeks ago. So anyway I followed the above commands and it seems to be working from the local network... the big test will be tomorrow when I try and get to my repo from work. -- Matthew Allen
RE: Help with Mac repositry permissions
Linedata Limited Registered Office: 85 Gracechurch St., London, EC3V 0AA Registered in England and Wales No 3475006 VAT Reg No 710 3140 03 -Original Message- From: Matthew Allen [mailto:f...@memecode.com] Sent: 08 September 2010 10:35 To: Giulio Troccoli Subject: RE: Help with Mac repositry permissions The problem is that I want to make sure this is secure, and the fact that it seems to be using the webserver seems to be using the global permissions indicates to me that the repo files are not being correctly protected. If someone gets into my machine then they can see the repo. I want to limit access to a) the webserver process or b) a local terminal user. Please respond to the list as well, usually by clicking on Reply-All. Also, don't top-post. Also the /Users folder perms is: drwxr-xr-x 6 root admin 204 18 Aug 10:03 Users Now, there's your answer. The user that runs theweb server, _www, has permission to access /Users only becuase of the others permissions __r-x. You could change the ownership of /Users to _www but I guess the /Users contains also the home directories of your users so this woldn't be acceptable. Why don't you create a directory directly under / owned by _www and access by _www only, for example mkdir /repos chown _www /repos chmod 700 /repos cp -R /Users/Svn /repos Check that the permission of /repos/Svn are still correct and then amend your web server configuration file so that the repository points to /repos/Svn and not /Users/Svn Giulio
Re: Help with Mac repositry permissions
On Wed, Sep 08, 2010 at 07:47:28PM +1000, Matthew Allen wrote: sudo find /path/to/repo -type d -exec chmod 770 {} \; I don't know what the 2 does in front of the 770. But it looks like it still works... so maybe thats all there is to it? The 2 controls the sticky bit. Mode 2770 says read-write-execute permissions for user and group and the group sticky bit set to on. See the chmod(1) man page for details on what sticky bits do. tyler
Re: Help with Mac repositry permissions
On Sep 8, 2010, at 04:53, Giulio Troccoli wrote: Also the /Users folder perms is: drwxr-xr-x 6 root admin 204 18 Aug 10:03 Users Now, there's your answer. The user that runs theweb server, _www, has permission to access /Users only becuase of the others permissions __r-x. You could change the ownership of /Users to _www but I guess the /Users contains also the home directories of your users so this woldn't be acceptable. Why don't you create a directory directly under / owned by _www and access by _www only, for example mkdir /repos chown _www /repos chmod 700 /repos cp -R /Users/Svn /repos Check that the permission of /repos/Svn are still correct and then amend your web server configuration file so that the repository points to /repos/Svn and not /Users/Svn Or consider using the existing web server hierarchy Apple already established. There's already /Library/WebServer/Documents (the document root) and /Library/WebServer/CGI-Executables (the cgi-bin); consider storing your repositories in /Library/WebServer/Subversion (there are some Google hits for this so someone else thought of this before).