
środa, 30 czerwca 2010

Subversion server running on Fedora 13

Running subversion server using apache daemon should be an easy task, except you're security n00b like me.

  1. Installing required binaries:
    sudo yum install subversion httpd mod_dav_svn

  2. mod_dav_svn creates scratch configuration file subversion.conf for httpd daemon in
    /etc/httpd/conf.d/. Unfortunately in this file there is a bug in comments dealing with new repository creation:

    # Example configuration to enable HTTP access for a directory
    # containing Subversion repositories, "/var/www/svn". Each repository
    # must be both:
    # a) readable and writable by the 'apache' user, and
    # b) labelled with the 'http_sys_content_rw_t' context if using
    # SELinux

    # To create a new repository "http://localhost/repos/stuff" using
    # this configuration, run as root:
    # # cd /var/www/svn
    # # svnadmin create stuff
    # # chown -R apache.apache stuff
    # # chcon -R -t http_sys_content_t stuff

    Last line should rather set SELinux context to http_sys_content_rw_t:

    chcon -R -t http_sys_content_rw_t stuff

    But anyway let's set our httpd configuration to be:

    • path for all repositories /var/www/svn

    • for apache authentication I choose the simplest one Basic with password file stored in /var/svn/passwd

    • finally I choose to store global svn authorization file in /var/svn/svnauth

    so using above presettings our subversion.conf would look like:

    LoadModule dav_svn_module modules/
    LoadModule authz_svn_module modules/
    <Location /repos>
    DAV svn
    SVNParentPath /var/www/svn
    AuthzSVNAccessFile /var/svn/svnauth
    Order deny,allow
    AuthType Basic
    AuthName "Subversion repository"
    AuthUserFile /var/svn/passwd
    Require valid-user
    ## logger for svn: /var/log/httpd/svn_log
    CustomLog logs/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION

  3. apache authentication file is of course produced using htpasswd command:

    # for 1st user we're creating a file (-c) and choose MD5 encryption (-m)
    sudo htpasswd -cm /var/svn/passwd cibak
    New password: xxxxx
    Retype new password: xxxxx
    Adding password for user cibak
    # all the others users only added with the same encryption
    sudo htpasswd -m /var/svn/passwd jack

    Once this file is ready we have to set correct SELinux policy:

    sudo chcon -t httpd_sys_content_t /var/svn/passwd

  4. creation of a new repository:

    sudo svnadmin create /var/www/svn/myrepo
    sudo chown -R apache:apache /var/www/svn/myrepo
    sudo chcon -R -t http_sys_content_rw_t /var/www/svn/myrepo

  5. creation of subversion authorization file /var/svn/svnauth in what ever you choose editor (I prefer emacs):

    # cibak has read-write rights to the whole repository, jack could only read
    cibak = rw
    jack = r
    # but jack is able to write in his own directory
    jack = rw

    Syntax of this file is better described in the Subversion bible.

    Of course ones again we should remember to set correct SELinux policy context:

    sudo chcon -t httpd_sys_content_t /var/svn/svnauth

  6. restarting of httpd deamon is a last step to switch our repo on:

    sudo /etc/init.d/./httpd restart

  7. et voila, our repository is accessible under https://localhost/repos/myrepo URL.

Brak komentarzy:

Prześlij komentarz