Sorry for this “stupid” question but I really can’t find a solution on the internet. Please help me.
I’m using Subversion on a Linux server to keep under version control the files of a website project I’m maintaining.
This is my configuration:
Project folder (a working copy of the repository on the server, in order to access to the project and see the website with a browser – Apache points to this directory as DocumentRoot):
/var/projects/prj
Repository folder:
/var/repo/prjrepo
When I installed SVN (apt-get install subversion libapache2-svn), it didn’t create neither the user subversion nor the group subversion. I can’t understand why.
I use TortoiseSVN on Windows to checkout/update/commit.
I use HTTP to connect to repositories with a list of authorized users:
http://1.2.3.4/svn/prjrepo
The list of users authorized to the repository is saved in an htpasswd file with the list of users and their MD5 passwords.
Of course Apache runs as www-data.
The prj folder is owned by root:root and others have only rx access to the files, except to those directories that www-data needs to write (file uploads for example).
The repository folder is owned by a user and group I created svn:svn, but maybe this is unsuseful. The permissions are rwx for user and for group and nothing for others. In addition, I forced g+s on all folders, so that svn group will always be the owner of all new files.
The problem is that when I commit a file to the repository, it says it failed due to “permission denied”. I can understand the why: the repository folder is owned by svn:svn, but Tortoise makes an HTTP request to the server when it commits. HTTP requests are run as www-data, who of course have no permissions to the repository.
I added a post-commit action as well, in order to update the working copy (prj folder) on every commit. If I change the owner group of the repository to www-data, Tortoise is able to commit but of course the post-commit action goes on error because www-data can’t write ALL the directories and files under prj folder. And this is correct (www-data can’t write files it have only to read – it’s Apache, it’s the website…).
So: I really can’t find out how to properly configure the permissions on the folders in order to make everything work right. Remember that www-data MUST NOT have write access to the prj because it has just to read those files (except some folders like the one used for file uploads, for example).
Another question: now Apache is configured to let access to the repository only to those users defined under a specific htpasswd file created for this purpose (see above). Is there any way to make the repository accessible to some LINUX users without defining new users just for the repository access? Is that possible? How?
Best Answer
If you are using the DAV option for subversion, then you need to give the web server access to the repository. This can be as simple as changing all the files/directories for the repository to be owned by www-data.
If you want your post-commit action to do something useful you probably need to look at setting up passwordless sudo for the specific scripts/commands that it needs to perform while running as www-data. So in your post-command script you might have something like