umask...

[me at mattgillen.net (Matthew Gillen)]

Stephen Adler wrote:
> I'm currently setting up a subversion repository server which will host
> many different repositories, and I need to make sure users who have
> access to one repository do not have access to another. The way I'm
> going about this is setting up groups and through the group ownership of
> each repository top level directory along with chmod of 770, this should
> do the trick. i.e.
> ...
> Notice how the umask then turned my 770 into 775 for the directories
> under the top level directory for the repository. I tried to access the
> repository (by doing an svn list) from a user who was not a member of
> projarepository and it gave me access deigned, which is what I want. The
> question I have is whether I should go the extra step and change the
> default umask from 0002 to 0007 for all users so that when a user who's
> a member of the projarepository makes checkouts and commits, the world
> access bits will be turned off. Or is this just more work and I'm not
> getting anything for it.
> 
> All comments greatly appreciated!

This is covered in the manual, but there's not a real nice solution:
http://svnbook.red-bean.com/en/1.2/svn.serverconfig.multimethod.html

However, this is only really a problem when providing "file://" or
"svn+ssh://" access to the repository.  If you use apache to provide
"http://"; or "https://"; access (and *only* that method), none of these umask
issues come into play, and it's more flexible from an access control
standpoint to boot.  For instance, when using apache you can control access
within repositories on a per-directory basis:
http://svnbook.red-bean.com/en/1.2/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authz.perdir

Matt


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.