R – Subversion creating revision directories with too-strict permissions

linuxpermissionsposixsvn

This morning, I tried to commit a revision to Subversion and found that all of a sudden I did not have permission to do so.

Can't move '/svn/db/txn-protorevs/21000-ga9.rev' to '/svn/db/revs/21/21001':
Permission Denied

Looking at the revs directory, I noticed that somebody had committed the 21000th revision, and the group write permission for the new directory is missing for some reason.

    drwxrwsr-x  2 svn    svn  24K 2008-10-27 10:04 19
    drwxrwsr-x  2 svn    svn  24K 2008-12-18 07:13 20
    drwxr-sr-x  2 jeff   svn 4.0K 2008-12-18 11:18 21

Setting the group write permission on that directory allows me to commit, so I'm good for another 1000 revisions. But why does this happen, and what can I change to make sure it doesn't happen again?

Best Answer

If you have more than one developer accessing the repository through the file:// protocol, you may want to look into setting up a Subversion server (using svnserve or Apache). With that solution, the server itself is responsible for all access and permissions on the repository files, and you won't run into this problem.

From the SVN Book:

Do not be seduced by the simple idea of having all of your users access a repository directly via file:// URLs. Even if the repository is readily available to everyone via a network share, this is a bad idea. It removes any layers of protection between the users and the repository: users can accidentally (or intentionally) corrupt the repository database, it becomes hard to take the repository offline for inspection or upgrade, and it can lead to a mess of file permission problems (see the section called “Supporting Multiple Repository Access Methods”). Note that this is also one of the reasons we warn against accessing repositories via svn+ssh:// URLs—from a security standpoint, it's effectively the same as local users accessing via file://, and it can entail all the same problems if the administrator isn't careful.

Related Solutions

Linux – How to setup the permissions in Linux so that two users can update the same SVN working copy on the server

Directory Set Group ID

If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.

This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.

The following command will set the GID bit on a directory:

chmod g+s spcprjdir

The directory listing of the directory "spcprjdir":

drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir

The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .

edit: source = Linux Files and File Permissions

Where did the committed file go

I think this SVN FAQ entry will help you: "I'm managing a website in my repository. How can I make the live site automatically update after every commit?":

This is done all the time, and is easily accomplished by adding a post-commit hook script to your repository. Read about hook scripts in Chapter 5 of the book. The basic idea is to make the "live site" just an ordinary working copy, and then have your post-commit hook script run 'svn update' on it.

In practice, there are a couple of things to watch out for. The server program performing the commit (svnserve or apache) is the same program that will be running the post-commit hook script. That means that this program must have proper permissions to update the working copy. In other words, the working copy must be owned by the same user that svnserve or apache runs as -- or at least the working copy must have appropriate permissions set.

If the server needs to update a working copy that it doesn't own (for example, user joe's ~/public_html/ area), one technique is create a +s binary program to run the update, since Unix won't allow scripts to run +s. Compile a tiny C program:
#include <stddef.h>
#include <stdlib.h>
#include <unistd.h> 
int main(void) 
{
   execl("/usr/local/bin/svn", "svn", "update", "/home/joe/public_html/",
         (const char *) NULL);  
   return(EXIT_FAILURE);
}
... and then chmod +s the binary, and make sure it's owned by user 'joe'. Then in the post-commit hook, add a line to run the binary.

If you have problems getting the hook to work, see "Why aren't my repository hooks working?".

Also, you'll probably want to prevent apache from exporting the .svn/ directories in the live working copy. Add this to your httpd.conf:
# Disallow browsing of Subversion working copy administrative dirs.
<DirectoryMatch "^/.*/\.svn/">
Order deny,allow
Deny from all 

An alternative: You could use the in-place import. Look here how to do it.

Best Answer

Related Solutions

Linux – How to setup the permissions in Linux so that two users can update the same SVN working copy on the server

Where did the committed file go

Related Topic