Subversion User Removal

views:

321

answers:

+2 Q:

Subversion User Removal

I'm taking over a server from a developer who has disappeared, and who has the system set up using Subversion. I have never used Subversion, but need to make sure he cannot get in using it. I do have su login.

My question is this:

Is there a way for root to modify/remove Subversion users, without logging in through Subversion?

If this doesn't make sense, it's mainly because I do not understand how Subversion operates, and therefore cannot ask the question correctly.

Subversion doesn't really have the concept of users built in; authorization is handled separately. Typically this is done by the apache server svn is running in.

You'll need to look at your svn server configuration to see where the authorization is happening. There is a lot more specific information on this in the svn book, chapter 6.

Ken Liu 2009-09-12 16:48:09

+2 A:

How is your subversion server set up? If it's standalone, you should look in the conf directory of the repository.

If it uses SSH and the normal user accounts, then just removing the Unix user should be enough.

If it's using Apache, I'm not sure...

Jon Skeet 2009-09-12 16:49:56

+3 A:

You remove the users from the host system first

The first thing to do is to remove the host system access. Possibly this is ssh, so remove his account and archive his directory, but we would need more information about your system to say for sure. There are multiple ways to get the power to write to an svn repository.

You can find out the different sort of credentials you may need to revoke in the svn manual at this section. You might want to look quickly and see what's in conf/passwd and conf/svnserve.conf.

DigitalRoss 2009-09-12 16:50:28

user and home directory removed, thanks

2009-09-12 17:23:48

svn does have its own private password credential option, for `svnserve`, so it's possible that just revoking host credentials is not enough

DigitalRoss 2009-09-12 17:31:27

+4 A:

Authorisation is done in one of three ways depending on the Repository url:

http://, https:// Authentication is done in apache. The most common and simple case is Basic Authentication. passwd file is created by apaches htpasswd-tool. Look into your httpd.conf for its location look for AuthUserFile directive. The file should not hold the old developers name.

svn:// Authentication is done in svnserve process. for this setup check the repositories configuration in its config-directory ( /path/to/repo/conf/svnserve.conf). In this files should be another file mentioned look for password-db. The file should not hold the old developers name.

svn+ssh:// Authentication is done via SSH, so you have to disable old developers system account or remove him from groups with read/write access to repository

Peter Parker 2009-09-12 16:59:23

There are many other ways to do authentication in Apache; for example you can configure it go to an LDAP server.

Ken Liu 2009-09-12 17:12:16

yes that is right, thanx for the comment I added this into my answer.. this is just a comprehensive answer regarding to different svn access methods.

Peter Parker 2009-09-12 17:16:20

set up your iptables to restrict the user via his IP address.

assuming he has a static IP, you can DENY all from his address.

Therefore, he cannot even look at the machine.

dar7yl 2009-09-12 17:12:13

-1 IP can be changed at will, e.g. by using a different Internet connection. In fact, a static IP is typically a privilege that you have to pay extra for.

Wim Coenen 2009-09-12 22:34:01

You are somewhat correct. However, there is no harm in shutting an open window. Sort of like saying "I won't remove they keys from the car's ignition because they can always hot-wire it"

dar7yl 2009-09-14 10:24:27

@dar7yl: If we're going to do car analogies, here's another one: it's useless to lock the car doors if you leave the windows wide open.

Wim Coenen 2009-09-15 12:53:39

ansaurus

tags:

views:

answers:

Subversion User Removal

You remove the users from the host system first

related questions