tags:

views:

439

answers:

2
Q: 

svn+apache per directory access control - disable root from modifying permissions file

Hi,

I currently have an svn server running on a machine to which multiple users have root access. For the svn repository I want to use per-directory access control. So I user the mod_dav module with apache and specify permissions in /etc/svn-access-file The problem is that since multiple users have root access, then can potentially modify this file to access content that they shouldn't be able to. Is there a way to restrict access or prevent users from modifying the svn-access-file without disabling root access for everyone else?

Thanks, Gaurav

+3  A: 

You can set it to be readonly, then users will need to set rw before modifying. That will deal with accidents, but not with determined users. As soon as user is root all bets are off.

Eugene  2009-07-19 21:05:59
Additionally, on some filesystems (ext2-4, xfs), `chattr +i` will cause a file to become immutable, which is yet another flag that needs to be reverted before writes are allowed.
ephemient  2009-07-20 03:11:32
Guess I will have to go with the readonly option. BTW, is there a way that I can be notified every time a file is modified?
gveda  2009-07-20 17:21:56
You can set up a simple cron script and compare checksums every time. Not sure there is a better way.
Eugene  2009-07-20 18:35:55
http://people.redhat.com/sgrubb/audit/
ephemient  2009-07-20 20:26:40
A: 

Nope. Any user who can become root has absolute power over the system. That's why you shouldn't be handing out root user privileges to people for free. A better idea would be to restrict the privilege level of the other users (assuming you are authorized to do so), and use groups to selectively enable access rights.

Michael Aaron Safyan  2009-07-19 22:03:52
It is possible to use SE Linux to restrict "root" accounts: see http://www.coker.com.au/selinux/play.html for a demonstration. However, traditional UNIX permissions are still much easier to set up.
ephemient  2009-07-20 03:14:13

related questions

Best strategy to write hooks for subversion in Windows
Database Version Control
Version control PHP Web Project
Experience with SVN vs. Team Foundation Server?
Best SVN Client Ignore Pattern for VB.NET Solutions?
SVN merge merged extra stuff
What is your favorite web app deployment workflow with SVN?
Integrating Fogbugz with TortoiseSVN with no URL/Subversion backend
Version Control. Getting started...
ASP.NET Display SVN Revision Number
How do I create a branch in SVN?
What do the result codes in svn mean?
Could you recommend a good free project hosting website?
Federated (Synced) Subversion servers?
Mechanisms for tracking DB schema changes
What are the advantages of using SVN over CVS?
Use SVN Revision to label build in CCNET
Best subversion client for Mac OS
Why is Git better than Subversion?
ASP.NET, Visual Studio and Subversion - how to integrate?
Best Practice: Collaborative Environment, Bin Directory, SVN
How do I sync the SVN revision number with my ASP.NET web site?
Best Subversion clients for Windows Vista (64bit)
Good branch/merge tutorials for Tortoise SVN?
How can you get Subclipse in Aptana to work with the newest release of Subversion?