| Introduction |
| ============ |
| |
| svnstsw (SVNServe Tunnel-mode Setuid/setgid Wrapper) is a wrapper |
| around svnserve that sets the tunnel user equal to the username of the |
| user that started the wrapper. |
| |
| Essentially, if the user running svnstsw logged in as "user1", then |
| svnstsw executes the following: |
| |
| /usr/bin/svnserve --tunnel --tunnel-user=user1 --root=/path/to/repository |
| |
| It is intended that svnstsw will have the SUID/SGID bit set and will |
| be owned by a user/group with read and write access to the target |
| Subversion repository files. This allows any user to access the |
| repository (modulo access controls in the repository's authz database) |
| without granting users read or write access to all of the repository |
| files. |
| |
| |
| Quick Install |
| ============= |
| |
| 1. Install Subversion. The following steps assume that svnserve was |
| installed to /usr/bin/svnserve. |
| |
| 2. Rename svnserve: |
| |
| $ sudo mv /usr/bin/svnserve /usr/bin/svnserve.real |
| |
| Why rename it? See the discussion at the end of these |
| instructions. |
| |
| 3. Create a system group named 'svn'. Do not add any users to this |
| group. |
| |
| 4. Change repository permissions: |
| |
| $ sudo chgrp -R svn /path/to/repository |
| $ sudo chmod g+rw,o-rwx /path/to/repository |
| |
| 5. Set up repository access controls. Here is an example authz file |
| (/path/to/repository/conf/authz): |
| |
| --------------------- |
| [groups] |
| group1 = user1, user2 |
| group2 = user3 |
| |
| [/] |
| @group1 = r |
| @group2 = rw |
| --------------------- |
| |
| Note that usernames in authz should come from system usernames |
| (e.g., someone who logs in as 'foo' on the system should be |
| referred to as 'foo' in the authz file). |
| |
| 6. Enable access controls. In |
| /path/to/repository/conf/svnserve.conf: |
| |
| --------------------- |
| [general] |
| authz-db = authz |
| --------------------- |
| |
| 7. Build and install svnstsw: |
| |
| $ cd ~ |
| $ tar xvfz /path/to/svnstsw-1.4.tar.gz |
| $ cd svnstsw-1.4 |
| $ ./configure --with-svnserve=/usr/bin/svnserve.real |
| $ make |
| $ sudo make install |
| |
| This puts the svnstsw executable in /usr/local/bin/svnstsw. |
| |
| 8. Create a symlink named svnserve that points to svnstsw: |
| |
| $ sudo ln -s ../local/bin/svnstsw /usr/bin/svnserve |
| |
| Now the command "svnserve" actually runs /usr/local/bin/svnstsw |
| (which in turn runs /usr/bin/svnserve.real). |
| |
| 9. Set up setgid on the svnstsw executable: |
| |
| $ sudo chgrp svn /usr/local/bin/svnstsw |
| $ sudo chmod g+s /usr/local/bin/svnstsw |
| |
| 10. You're done! Now test access. From a client machine: |
| |
| $ svn checkout svn+ssh://svn-server.acme.org/path/to/repository |
| |
| Why rename svnserve to svnserve.real: The svn client executes |
| "svnserve -t" on the server by default. Thus, for this wrapper to be |
| effective, typing "svnserve" should invoke the svnstsw wrapper, not |
| svnserve. One way to do this is to move svnserve out of the way and |
| replace it with either a copy of the svnstsw executable or a symlink |
| to the svnstsw executable. An alternative is to create a |
| svnserve->svnstsw symlink in another directory and make sure this |
| other directory is in each user's PATH environment variable *before* |
| the directory containing the real svnserve. |
| |
| If you also wish to have http-based access through the mod_dav_svn |
| Apache module, simply add the Apache user to the svn group. (You may |
| also need to make sure Apache uses a umask of 0007.) |
| |
| |
| Build Options |
| ============= |
| |
| The svnstsw wrapper has several build-time options, specified by |
| command-line arguments to the configure script. This section briefly |
| introduces some of the more interesting options. For more details, |
| see "./configure --help". |
| |
| '--with-svnserve=/path/to/svnserve': |
| |
| This tells configure where the real svnserve is located. |
| |
| '--disable-svnserve-root-override': |
| |
| This argument causes svnstsw to ignore the '--root' command-line |
| argument. |
| |
| '--with-svnserve-root-default=/path/to/repository': |
| |
| This argument causes svnstsw to always pass |
| '--root=/path/to/repository' to svnserve, unless the '--root' |
| command-line argument is passed to svnserve and the above |
| '--disable-svnserve-root-override' argument is NOT given to |
| configure. |
| |
| This command is useful for cleaning up repository URLs. For |
| example, suppose a repository is put in |
| /srv/svn-repositories/project1 on the server named |
| svn-server.acme.org. Normally, the URL to this repository would |
| look like the following: |
| |
| svn+ssh://svn-server.acme.org/srv/svn-repositories/project1 |
| |
| By passing '--with-svnserve-root-default=/srv/svn-repositories' to |
| configure, users would use the following URL instead: |
| |
| svn+ssh://svn-server.acme.org/project1 |
| |
| '--with-umask=<mode_t expression>': |
| |
| This argument is used to control the default permissions of files |
| created inside the repository (due to commits, etc.). By default, |
| the user and group will have read and write access to |
| newly-created files while everyone else will have no access at |
| all. |
| |
| The value of this expression is passed to the umask() system |
| function; see |
| http://www.opengroup.org/onlinepubs/000095399/functions/umask.html |
| and |
| http://www.opengroup.org/onlinepubs/000095399/basedefs/sys/stat.h.html |
| for details. |
| |
| '--with-doxygen=/path/to/doxygen' and |
| '--with-dot=/directory/containing/dot': |
| |
| These arguments tell the build system where it can find Doxygen |
| and the 'dot' utility. These utilities are used to build |
| documentation for the svnstsw source code, which is useful for |
| developers wishing to modify or extend svnstsw. Doxygen is |
| required to build the documentation; dot is optional. If dot is |
| found, the documentation will contain pretty graphs. |
| |
| To build the Doxygen documentation, type "make html" after running |
| configure. If "make install" is run after "make html", then the |
| Doxygen documentation will be installed (to |
| /usr/local/share/doc/svnstsw/html by default). |