On Thu, Dec 30, 2010 at 03:32:01PM +0100, Stefan Sperling wrote: > On Thu, Dec 30, 2010 at 03:29:11PM +0100, Stefan Sperling wrote: > > create-svn-repos.sh: > > #!/bin/sh > > svnadmin create $1 > > rm -f $1/conf/svnserve.conf > > Of course, you would also need to delete svnserve from the system > and somehow make sure that no local user can compile their own > svnserve binary or copy one from another system.
An even better solution would be to make sure that no normal user on the system has read access to any of the repositories. Well, I guess there are many ways to achieve this, and some caveats. It would be nice if the outcome of this thread was a document detailing requirements and solutions for a secure, apache-only subversion setup on a unix system. Employing standard security tricks like a non-privileged user jailed in a chroot would be a plus. Does someone have the time and energy to put something like this together? I would be glad to do review, and help if necessary. We could then refer to it from the book or even integrate it in the book in part or in whole if the author gives permission to license them under the Creative Commons Attribution License v2.0. A similar document for svnserve would also be interesting. Oh, and if someone has the knowledge of how to do something like this on Windows (if that can be considered "secure" in the first place), that would also be interesting. But I'm afraid I wouldn't be able to help with that. Stefan
