If the server is only hosting repositories, there is no reason for users to be
allowed 'interactive' access.
+== allowed_interactive and sudo ==
+
+For users that use repo_shell as a login shell and that also need to run
+commands via sudo as other users, those other users must also be listed in the
+allowed_interactive user list. Otherwise, sudo functionality is effectively
+disabled for such users.
+
= Create owner and paths
In accordance with the settings in /etc/repo_shell.conf:
- sudo adduser --system --group <owner> --home /var/lib/svn \
- --shell /bin/false <owner>
+ sudo adduser --system --group --home /var/lib/svn --shell /bin/false <owner>
+ sudo chsh -s /bin/bash <owner> # a shell is needed for 'sudo -iu'
sudo install -d -o <owner> -g <owner> -m 0750 <svn_root>/..
sudo install -d -o <owner> -g <owner> -m 0750 <svn_root>
sudo install -d -o <owner> -g <owner> -m 0750 <git_root>
= Configure subversion repository ACLs
Subversion repositories created with the svncreate command have their
-conf/svnserve.conf file pointing to the global {svn_root}/../authz.conf file.
-It is this file that is used to set access control permissions for repositories.
-Subversion's authz file allows path based control as well. For more
-information, please see the Subversion Red Bean guide at:
+conf/svnserve.conf as a symbolic link pointing to the global
+{svn_root}/../svnserve.conf file, which then references internally the global
+authz.conf file. It is this file that is used to set access control permissions
+for repositories. Subversion's authz file allows path based control as well.
+For more information, please see the Subversion Red Bean guide at:
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
+A simple and secure svnserve.conf file:
+
+ [general]
+ anon-access = none
+ auth-access = write
+ authz-db = /var/lib/svn/authz.conf
+
+A simple and secure authz.conf file:
+
+ [groups]
+ devs = user1, user2, user3
+
+ [/] # All repositories, all paths
+ @devs = rw
+ * =
+
+For path-based controls, consider using the pre-commit hook that uses
+svnperms.py. The ability to prevent update of tags, which my definition is
+almost always an accident, is itself worth the price of admission.
+
= Configure git repository ACLs
Git repository access control is managed by the git acl file, located at
defines one of three levels of access for various combinations of users and
repositories, then compared to the git command arriving via SSH to determine if
the access will be allowed. Please see README.gitacls for more information.
+A simple .gitacls might look like:
+
+ [user_groups]
+ devs = user1 user2 user3
+
+ [repo *]
+ devs = rw
+ * =
= Create a subversion repository
projects / repo_shell.git / blobdiff