CODEWITHSUNDEEP
linuxsvnsshpermissions
BenDavid
BenDavid

Reputation: 133

Read only access to svn repository via ssh (svn+ssh)

We desire to make subversion repositories read only. Doing this for a single repository in a subversion instance did not work regarding ssh. ssh access appears to bypass the controls of svn.

Followed the suggestions here: Read-only access of Subversion repository

Write access should be restricted but that did not happen. The repository is still write accessible despite changes to the repository for read only.

Upvotes: 2

Views: 500

Answers (2)

Doug Richardson
Doug Richardson

Reputation: 10811

Restrict commit access with a start-commit hook.

Description

The start-commit hook is run before the commit transaction is even created. It is typically used to decide whether the user has commit privileges at all.

If the start-commit hook program returns a nonzero exit value, the commit is stopped before the commit transaction is even created, and anything printed to stderr is marshalled back to the client.

Input Parameter(s)

The command-line arguments passed to the hook program, in order, are:

  1. Repository path
  2. Authenticated username attempting the commit
  3. Colon-separated list of capabilities that a client passes to the server, including depth, mergeinfo, and log-revprops (new in Subversion 1.5).

Common uses

  • Access control (e.g., temporarily lock out commits for some reason).
  • A means to allow access only from clients that have certain capabilities.

Upvotes: 2

PaulProgrammer
PaulProgrammer

Reputation: 17630

The easiest way to restrict access (assuming there are no users who require write access) is to remove the w (write) bit on the files in the SVN repo.

chmod -R gou-w /path/to/svn-repo

That will prevent writes at the filesystem / OS level.

If some users still require access, you can create separate svn+ssh endpoints for each user class that map to different users on the host server, using group write vs other write bits to determine which group has access to affect writes:

mkgrp writers-grp
chgrp -R writers-grp /path/to/svn-repo
chmod ug+w /path/to/svn-repo
chmod o-w /path/to/svn-repo

I would then register the SSH keys for writers against the writing user on the server, and prevent password access.

The "read-only" users could be allowed a well-known password.

This isn't as "clever" or "elegant" as configuring the SVN server configs, but it works pretty darned well as long as the users keep their SSH keys secret.

Upvotes: 2

Related Questions