views:

475

answers:

9

I have a web server and I am currently paying for SVN hosting at a company that specializes in hosting svn.

I am thinking of just installing SVN on my dedicated server, are there any security implications of this?

A: 

SVN is very difficult to get setup in the Windows environment, at least if you want hosted SVN, a local repository is different. My suggestion is stick with the company or search out a cheaper SVN that will not cost as much money. They are not difficult to setup, but you would hate to lose all your source code because of an improper backup.

Nick Berardi
SVN is difficult to setup in windows? Why?
cherouvim
Because it's from the UNIX world and Windows doesn't like things from elsewhere.
Joshua
SVN is easy to setup: extract a ZIP file, run a cmd file to install the service, create a repository and your done. Using VisualSVN Server makes it even easier.
M4N
how this got marked as the answer is crazy. 1. SNV oon windows is trivial, as already mentioned. 2. How do you know your hosting company actually does backups. Seriously, there are a lot who skimp, and you'd never know until they go bust. Do your own backups. Always. (use svnsync to do this, its easy too)
gbjbaanb
+2  A: 

For simple security requirements, setting up Subversion with svnserve is almost trivial. Even getting it running under Apache for more extensive security needs is not overly difficult.

This is a good walk-through:

http://donie.homeip.net:8080/pebble/Steve/2006/02/27/1141079943879.html

Brad Wilson
+2  A: 

I use VisualSVN Server from http://www.visualsvn.com/server/, very easy to install and can be integrate with active directory. It's install on a win2008 with no problem.

Jedi Master Spooky
+2  A: 

It depends on how far you want to consider this issue.

If you want to install a Subversion server on your own, it looks like you have two options:

  • Apache
  • Subversions own protocol

In either case, the problem isn't what the two do, but what the two unintentionally do.

If there are bugs in Apache that allows an outside attacker to gain access to your data, then that is bad. If there are bugs in Subversions own server that allows the same, that is bad.

What you need to do is consider risk and consequences for the scenarios, and come up with a server setup that meets your requirements, if possible.

The cases you would at least have to consider would be:

  • Bug in either system that allows an attacker to sink your server (example: something which makes your server use an inordinate amount of CPU time)
  • Bug in either system that allows an attacker access to the data on that server
  • Bug in either system that allows an attacker access to your domain (ie. all your servers and machines available from that public server)

Personally I have considered how many are hosting subversion servers through Apache now, and installed VisualSVN Server to host my own source code without a doubt.

Lasse V. Karlsen
+6  A: 

Small correction to Jedi: it's VisualSVN Server from http://www.visualsvn.com/server/

dpp
I use it on a Windows 2003. No need to tweak http.conf files. Integrated auth.
Seiti
A: 

Apache and SVN are fairly easy to get running together but there are a number of steps. It is definitely easier today than 2 years ago when I first tried. Make sure you have matching versions of the modules and spend some time playing with Apache locally before deploying to your server. There are versions of Apache with and without SSL. Check you have the one with OpenSSL included to protect credentials on the wire.

Install Apache so that it can be manually started eg. not as a service. You'll want to do this to avoid a collision with any IIS apps on your server. You can install Apache to run as a service later, once your config is right.

Normally Apache will use Basic Authentication. You need to secure this using SSL, the credentials are not encrypted in transit. You put user details in a test file on disk. If you want to authenticate users against windows or active directory, you will have a larger task on your hands (perhaps see VisualSVN for this).

I had a quick look at VisuaSVN and it seems to be a good option. However a little Apache config experience can go a long way. Coming from an IIS background it wasn't too difficult, it just took some time to review all of the options/settings.

BrianLy
A: 

@Jedi,

He was talking about a server not the client.

Nick Berardi
A: 

VisualSVN is such a rare beast - a setup tool that is easier to install SVN on Windows than it is on Linux. And considering Linux you just have to type "yum install subversion", that's some praise.

However, if you're really worried, I would install VMware alongside and run your SVN server in a guest OS on your web server.

Security: if you run svnserve, then simply block access to that port (3960) to all but your computers. If not, you'll need to secure the svn auth config files. If you're running it using apache, then its just another website to secure, in the same ways as usual.

gbjbaanb
A: 

The production svn server is important in terms of availability but it's never going to be enough and it doesn't matter whether it's Windows Srvr 2007, RH Linux whatever.. You'll need a well thought backup policy and taking care access management.

ktulur