Is it possible to setup an SVN authz file to use linux server groups?
To try to give a bit more detail/an example, say I have and SVN authz file as follows:
[groups]
developers = linuxUserA, linuxUserB
reviewers = linuxUserC
endUsers = linuxGroupA <- can I insert a Linux group here
[/project]
#developers = rw
#reviewers = r
[/project/downloads/]
#endUsers = r
userA, userB and userC all exist as Linux users, and are granted access as expected. However, members of linuxGroupA don't seem to be granted access (in this example to the downloads folder).
So, can the svn authz be configured to refer to a linux group, whose members will get access (to say the downloads folder above)?
No
Right side inside [groups] section is always list of authz-file's objects (another groups, aliases, users)
You can build string endUsers = ... by processing /etc/group and outputting linuxGroupA's final users into authz file
Related
We desire to make subversion repositories read only. Doing this for a single repository in a subversion instance did not work regarding ssh. ssh access appears to bypass the controls of svn.
Followed the suggestions here:
Read-only access of Subversion repository
Write access should be restricted but that did not happen.
The repository is still write accessible despite changes to the repository for read only.
The easiest way to restrict access (assuming there are no users who require write access) is to remove the w (write) bit on the files in the SVN repo.
chmod -R gou-w /path/to/svn-repo
That will prevent writes at the filesystem / OS level.
If some users still require access, you can create separate svn+ssh endpoints for each user class that map to different users on the host server, using group write vs other write bits to determine which group has access to affect writes:
mkgrp writers-grp
chgrp -R writers-grp /path/to/svn-repo
chmod ug+w /path/to/svn-repo
chmod o-w /path/to/svn-repo
I would then register the SSH keys for writers against the writing user on the server, and prevent password access.
The "read-only" users could be allowed a well-known password.
This isn't as "clever" or "elegant" as configuring the SVN server configs, but it works pretty darned well as long as the users keep their SSH keys secret.
Restrict commit access with a start-commit hook.
Description
The start-commit hook is run before the commit transaction is even
created. It is typically used to decide whether the user has commit
privileges at all.
If the start-commit hook program returns a nonzero exit value, the
commit is stopped before the commit transaction is even created, and
anything printed to stderr is marshalled back to the client.
Input Parameter(s)
The command-line arguments passed to the hook program, in order, are:
Repository path
Authenticated username attempting the commit
Colon-separated list of capabilities that a client passes to the server, including depth, mergeinfo, and log-revprops (new in
Subversion 1.5).
Common uses
Access control (e.g., temporarily lock out commits for some reason).
A means to allow access only from clients that have certain
capabilities.
I use samba 3 on my Raspberry Pi. I want to use an 1:1 mapping between linux and Windows NT (Windows 8) users. At this point I have the following config for samba:
server role = standalone # not working! unkown parameter! (testparm -v)
local master = yes
os level = 33
client NTMLv2 auth = yes
guest ok = no
server string = %h server
wins support = yes
dns proxy = no
# Auth
security = user
encrypt passwords = true
obey pam restrictions = yes
unix password sync = yes
auth methods = sam
domain logons = no
# winbind enum groups = yes
# winbind enum users = yes
## shares ##
[testdir]
path = /home/testdir
valid users = %U
browseable = yes
writeable = yes
create mode = 0600
directory mdoe = 0700
read only = no
[homes] # not working!
path = /home/%U # have tried with %S
valid users = %U
browseable = yes
available = yes
guest ok = no
But the home shares doesn't work and I think there is a problem with the user mapping, because I can't access the home directorys (network path not found) and windows doesn't say: Sebi (Unix User), but \smart-server\Sebi:
Output pdbedit -L:
Ignoring unknown parameter "server role"
Sebi:1000:
Windows share properties (testdir (working!)):
I think this is a problem with the user mapping, because pdbedit -Lv outputs SIDs instead of UIDs. Does anybody know how I can configure my samba to work as a simple share with 1:1 between unix and windows NT users. I doesn't know what I'm doing wrong.
There Are two ways to have 1:1 mapping of accounts between computers. The first is synchronization. This is where you copy accounts by hand or by script between machines. I think this is what you tried to do, but windows does not work well when trying to do this. (there are other problems with this approach which has led to the second approach)
The second way is a directory server. There are lots of directory servers out there. Sun came out with NIS, There is DAP and LDAP which have multiple implementations including folks like SAP, Red Hat, Oracle and Novel. But in a windows environment the dominant Directory server is Microsoft's Active Directory which is part of windows server. (Prior to windows 2000 there was a simpler service that is called NT domain login, which still can be used in some cases.)
Now If you don't want to shell out the big bucks for windows server samba has a protocol compatible directory server. samba 3 uses NT domain logins to serve account information, and samba 4 is compatible with active directory. The general way you use samba 3 to provide accounts to windows is to make samba a primary domain controller, and then join windows to the domain you just created. The accounts are then drawn from your passwd file (or wherever NSS maps your account information), but your passwords have to be stored in samba. Samba 4 is a similar process, but newer and all account information must be stored in samba and you must also join your linux box (Raspberry PI in your case) to the domain with winbind.
On the other hand if you have windows server just laying around you could also create your domain there and join all your machines to that domain, again using winbind for linux.
One of the complications of using winbind is assigning or mapping UIDs for linux. It is not complicated, but you have to pay attention.
If you noticed that I have skipped some details, you have a gift for understatement. There are books on this subject that miss important details. You have some reading to do.
Is there a way how to prevent users, who I would like to be able to add repositories and modify permissions, from changing permissions of gitolite-admin?
The gitolite-admin repo is usually only RW by the gitolite admin account.
repo gitolite-admin
RW+ = gitoliteadm
Ie it isn't visible by any other users.
So they won't be able to clone that repo, and access the gitolite.conf file which would allow them to change permission on any repo.
Repos creation
Now, with Gitolite V3, you can authorize users to declare new repo and create them without giving them access to the gitolite-adm repo.
This is called "wild repo".
The wildrepos feature allows you to specify access control rules using regular expression patterns, so you can have many actual repos being served by a single set of rules in the config file.
The regex pattern can also include the word CREATOR in it, allowing you to parametrize the name of the user creating the repo.
#prof = u1
#TAs = u2 u3
#students = u4 u5 u6
repo assignments/CREATOR/a[0-9][0-9]
C = #students
RW+ = CREATOR
RW = WRITERS #TAs
R = READERS #prof
Note the "C" permission.
This is a standalone "C", which gives the named users the right to create a repo.
This is not to be confused with the "RWC" or its variants described elsewhere, which are about branches, not repos.
Permission management
It is called delegation:
Delegation allows you to divide up a large conf file into smaller groups of repos (called subconfs) and hand over responsibility to manage them to sub-admins.
Gitolite can prevent one sub-admin from being able to set access rules for any other sub-admin's repos.
I have a personal project which is stored in an svn repository in my home directory on a server. I want to give another user access to the repository.
I have given the user read permissions on my home directory (but not any of the documents or subfolders). I have also given them read and execute permissions on the repository.
When I attempt to checkout the repository locally as the user with:
svn co file:///home/myusername/theRepository ./aName
I get the message
svn: Unable to open an ra_local session to URL
svn: Unable to open repository 'file:///home/myusername/theRepository'
svn: Can't open file '/home/myusername/theRepository/format': Permission denied
Changing the permissions on format has no effect (e.g. giving group, user, and world all read/write/exec permissions still produces exactly this message).
I'm sure there must be a way to do this. Any suggestions?
EDIT: I would like to allow users to access it using svn+ssh.
You should not give the other user file permissions on your account. You should configure your SVN repository (typically, it will have a conf directory with passwd and authz files) to create an SVN account for the other user and set appropriate permissions for that account on the repository.
Did you make sure to go to the /conf/ directory in your svn directory and update the passwd file to allow for another user?
You should be able to open up passwd with VIM (assuming this is a Linux box) and add the new user for the repo. Format of the new user in the file is like = ...
i.e.
John Doe = password123
Save the file and restart the SVN service.
Giving the new user read access to all higher level directories resolved this issue.
I wanna know, how I can set user name and password for each user in TortoiseSVN and I already did these steps to made repository:
- Created a file then created repository in this file.
- Changed " svnserve.conf " in conf file.
- Then set all user and them passwd in conf file.
- I changed authz to access my repository also including in conf file.
I try and try to Authentication many of users for each project but as file not Http.
I hope to someone help me in this issue.
I'm having trouble understanding your question, but it sounds to me like you ought to move to integrating Apache with SVN. That will give you the ability to give users different levels of access on a per-directory basis.
Refer to the sectino Per-Directory Access Control in the svn book:
It's possible to set up finer-grained
permissions using a second Apache
httpd module, mod_authz_svn. This
module grabs the various opaque URLs
passing from client to server, asks
mod_dav_svn to decode them, and then
possibly vetoes requests based on
access policies defined in a
configuration file.