Securely setup subversion (SVN) with Apache
There are a lot of explanations out explaining how to setup Subversion and Apache to work smoothly together. Since I’m a bit paranoid I’d like to give one the needed rights to the Apache user.
But let’s start at the beginning and setup the environment before we care about the proper rights.
A usual apt-get install apache2 subversion libapache2-svn installs all needed packages at a Debian-based system. All sites shall reside at /etc/apache2/sites-available and you could either edit the default-site or create a new one. I choose to create a new one as I’d like to have things separated, but using the default one is quite similar.
Configure Apache
<VirtualHost *>
ServerName svn.example.com
ServerAlias other-name.example.com
ServerAdmin webmaster@example.com
DocumentRoot /var/www/svn/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/svn/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# Redirect to ViewVC for the undecided
RedirectMatch ^/$ /cgi-bin/viewcvs.cgi
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
# Setting for the repositories, all start with /repos
<Location /repos>
DAV svn
# Path to repository base
SVNParentPath /var/lib/svn/repos
# Use a different XSL for the build in pages
SVNIndexXSLT /svnindex.xsl
# how to authenticate a user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile /etc/apache2/svn.example.com-htpasswd
# For any operations other than these,
# require an authenticated user.
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>
LogLevel warn
ErrorLog /var/log/apache2/svn.example.com-error.log
CustomLog /var/log/apache2/svn.walhalla.local-access.log combined
# Include generic snippets of statements for ViewVC
# (part of the Debian package)
Include /etc/apache2/conf.d/viewcvs
</VirtualHost> ```
Remember that NameVirtualHost and VirtualHost settings must match. If you use an IP for the first setting you have to use the same IP for the latter.
To enable your fresh site you can either use a2ensite /etc/apache2/sites-availabe/new-site-filename or create a symlink in /etc/apache2/sites-enabled yourself. In either case you have to restart your Apache of course.
Configure Subversion
The next step is the subversion configuration and creation of a new repository. As we use /var/lib/svn/repos as our repository base path it would be
# svnadmin create /var/lib/svn/repos/Projectswhich I do as root to get the proper base rights set.
For recent version of SVN you have to decide which compatibility level you like to support. –pre-1.4-compatible to support version earlier than 1.4 or –pre-1.5-compatible to support version earlier than 1.5. I suggest to use –pre-1.5-compatible, because not all distributions out there already include Subversion 1.5.
You now have a new directory /var/lib/svn/repos/Projects</a> which looks like
4 drwxr-xr-x 2 root root 4096 2009-02-03 15:48 conf
4 drwxr-xr-x 2 root root 4096 2009-02-03 15:48 dav
4 drwxr-sr-x 5 root root 4096 2009-02-03 15:48 db
4 -r--r--r-- 1 root root 2 2009-02-03 15:48 format
4 drwxr-xr-x 2 root root 4096 2009-02-03 15:48 hooks
4 drwxr-xr-x 2 root root 4096 2009-02-03 15:48 locks
4 -rw-r--r-- 1 root root 229 2009-02-03 15:48 README.txtAs you can see everything is owned by root and nobody else is able to write there. This is quite safe indeed, but quite useless at the same time. Is dislike the idea to give full permission to this directory to the Apache user as others suggest, but to give the rights that are really needed.
If you execute
# cd /var/lib/svn/repos/Projects
# chgrp www-data dav db locks/
# chmod g+sw db
# chmod g+w dav/
# chgrp -R www-data db/current db/revprops/ db/revs/ \
db/transactions/ db/write-lockYou should be on the safe side and you can start versioning your data.