How can I setup the permissions in Linux so that t

2019-03-16 20:10发布

问题:

My server has both Subversion and Apache installed, and the Apache web directory is also a Subversion working copy. The reason for this is that the simple command svn update /server/staging will deploy the latest source to the staging server.

Apache public web directory: /server/staging — (This is an SVN working copy.)

I have two users on my server, 'richard' and 'austin'. They both are members of the 'developers' group. I recursively set permissions on the /server directory to richard:developers, using "sudo chown -R richard:developers /server".

I then set the permissions to read, write and execute for both 'richard' and the 'developers' group.

So surely, 'austin' should now be able to use the svn update /server/staging command? However, when he tries, he gets the error:

svn: Can't open file '/server/staging/.svn/lock': Permission denied

If I recursively change the owner of /server to austin:developers, he can run the command just fine, but then 'richard' can't.

How do I fix the problem? I want to create a post-commit hook with to automatically deploy the staging site when files are committed, but I can't see a way for that to work for both users. The hook would be:

/usr/bin/svn update /server/staging

Using the same user account for both of them wouldn't really be an acceptable solution, and I'm not aware of any way to run the command inside the hook as 'root'.

Any help is appreciated!

回答1:

Directory Set Group ID

If the setgid bit on a directory entry is set, files in that directory will have the group ownership as the directory, instead of than the group of the user that created the file.

This attribute is helpful when several users need access to certain files. If the users work in a directory with the setgid attribute set then any files created in the directory by any of the users will have the permission of the group. For example, the administrator can create a group called spcprj and add the users Kathy and Mark to the group spcprj. The directory spcprjdir can be created with the set GID bit set and Kathy and Mark although in different primary groups can work in the directory and have full access to all files in that directory, but still not be able to access files in each other's primary group.

The following command will set the GID bit on a directory:

chmod g+s spcprjdir

The directory listing of the directory "spcprjdir":

drwxrwsr-x 2 kathy spcprj 1674 Sep 17 1999 spcprjdir

The "s'' in place of the execute bit in the group permissions causes all files written to the directory "spcprjdir" to belong to the group "spcprj" .

edit: source = Linux Files and File Permissions



回答2:

I would set up svnserve which is a simple Subversion server using the svn:// protocol. You can set this up so it runs under its own user account, then the repository would only be accessed by that one user. This user could then have the correct privileges to run svn update /server/staging on a post-commit hook.



回答3:

in your svn repo, you can find a 'conf' directory where you set permissions. you have 3 files there:

  • authz
  • passwd
  • svnserve.conf

you set in the authz file which users have which kind of acces, per user or per group. you set groups there, SVN groups not linux user groups (hashed lines are comments):

[groups]
# harry_and_sally = harry,sally
projectgroup = richard,austin

# [/foo/bar]
# harry = rw  -- user harry has read/write access
# * =  -- everybody have no access

# [repository:/baz/fuz]
# @harry_and_sally = rw  -- harry_and_sally group members have read/write access
# * = r  -- everyone has read access

[/server/staging]
@projectgroup = rw
* = r

work around this example and set your config. in the 'passwd' file you set up users passwords. execute

cat passwd

you'll get commented file with explanation how to set it up.



回答4:

I use WebDAV - all SVN updates and commits are handled via apache and I never have such problems.