2 minute read

There are a lot of explanations out explaining how to setup Subversion and Apache to work smoothly together. Since I’m a bit paranoid I’d like to give one the needed rights to the Apache user.

But let’s start at the beginning and setup the environment before we care about the proper rights.

A usual apt-get install apache2 subversion libapache2-svn installs all needed packages at a Debian-based system. All sites shall reside at /etc/apache2/sites-available and you could either edit the default-site or create a new one. I choose to create a new one as I’d like to have things separated, but using the default one is quite similar.

Configure Apache

<VirtualHost *> ServerName svn.example.com ServerAlias other-name.example.com ServerAdmin webmaster@example.com

    DocumentRoot /var/www/svn/
    <Directory />
            Options FollowSymLinks
            AllowOverride None
    <Directory /var/www/svn/>
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
            # Redirect to ViewVC for the undecided
             RedirectMatch ^/$ /cgi-bin/viewcvs.cgi

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
            AllowOverride None
            Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
            Order allow,deny
            Allow from all

    # Setting for the repositories, all start with /repos
    <Location /repos>
            DAV svn
            # Path to repository base
            SVNParentPath /var/lib/svn/repos
            # Use a different XSL for the build in pages
            SVNIndexXSLT /svnindex.xsl

            # how to authenticate a user
            AuthType Basic
            AuthName "Subversion repository"
            AuthUserFile /etc/apache2/svn.example.com-htpasswd

            # For any operations other than these, 
            # require an authenticated user.
            <LimitExcept GET PROPFIND OPTIONS REPORT>
                    Require valid-user

    LogLevel warn
    ErrorLog /var/log/apache2/svn.example.com-error.log
    CustomLog /var/log/apache2/svn.walhalla.local-access.log combined

    # Include generic snippets of statements for ViewVC
    # (part of the Debian package)
    Include /etc/apache2/conf.d/viewcvs

</VirtualHost> ```

Remember that NameVirtualHost and VirtualHost settings must match. If you use an IP for the first setting you have to use the same IP for the latter.

To enable your fresh site you can either use a2ensite /etc/apache2/sites-availabe/new-site-filename or create a symlink in /etc/apache2/sites-enabled yourself. In either case you have to restart your Apache of course.

Configure Subversion

The next step is the subversion configuration and creation of a new repository. As we use /var/lib/svn/repos as our repository base path it would be

# svnadmin create /var/lib/svn/repos/Projects

which I do as root to get the proper base rights set.

For recent version of SVN you have to decide which compatibility level you like to support. –pre-1.4-compatible to support version earlier than 1.4 or –pre-1.5-compatible to support version earlier than 1.5. I suggest to use –pre-1.5-compatible, because not all distributions out there already include Subversion 1.5.

You now have a new directory /var/lib/svn/repos/Projects</a> which looks like

4 drwxr-xr-x  2 root root 4096 2009-02-03 15:48 conf
4 drwxr-xr-x  2 root root 4096 2009-02-03 15:48 dav
4 drwxr-sr-x  5 root root 4096 2009-02-03 15:48 db
4 -r--r--r--  1 root root    2 2009-02-03 15:48 format
4 drwxr-xr-x  2 root root 4096 2009-02-03 15:48 hooks
4 drwxr-xr-x  2 root root 4096 2009-02-03 15:48 locks
4 -rw-r--r--  1 root root  229 2009-02-03 15:48 README.txt

As you can see everything is owned by root and nobody else is able to write there. This is quite safe indeed, but quite useless at the same time. Is dislike the idea to give full permission to this directory to the Apache user as others suggest, but to give the rights that are really needed.

If you execute

# cd /var/lib/svn/repos/Projects
# chgrp www-data dav db locks/
# chmod g+sw db
# chmod g+w dav/
# chgrp -R www-data db/current db/revprops/ db/revs/ \
 db/transactions/ db/write-lock

You should be on the safe side and you can start versioning your data.