Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: markleman on May 11, 2010, 04:57:59 PM

Title: SVN contrib - restrict external access by user?
Post by: markleman on May 11, 2010, 04:57:59 PM

Hi Folks,
We have setup a SVN repository for a project, the customer would like to be able to check out the code so I need to set "Access : Global" and create him an account with read-only privileges. The customer is also worried about security* and only wants the dev team to have access whilst at work (I'm happy with this they should be relaxing at home).

I can't see any obvious way to achieve this with the existing web control panel - any clues as to which config files control this then I can play hunt the template :-)

Regards, Mark Leman

* He is worried about somebody checking out the complete project off site to a unsecured computer which could then be lost or compromised, rather than the staff stealing the code. A pen drive would be a much easier way to do that and we trust our staff.

Title: Re: SVN contrib - restrict external access by user?
Post by: cactus on May 11, 2010, 05:46:15 PM

The contrib does not really cater for it (and I know as I am the author). It has been a while and I will have to look through the templates again to see if what you desire can be achieved easily. I can do so perhaps later today.

Title: Re: SVN contrib - restrict external access by user?
Post by: markleman on May 11, 2010, 05:47:43 PM

To comment on my own question :

The access is controlled by the settings in

Code: [Select]

/etc/httpd/conf/httpd.confThe actual section of this relating to the SVN repositories is generated by

Code: [Select]

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/28SubversionContent
So for my next trick I just need to work out
1) How to restrict access by interface (internal/external eth0/eth1 etc) in httpd.conf - looks like the 'allow from' lines
2) Modify 28SubversionContent

As a quick and dirty kludge I am going to attempt to change the access permissions without adding any extra web interface. I think I will attempt this by allowing the SVN 'groups' to only have access for internal and the SVN 'users' to have access from every where.

This, whilst not elegant, should achieve what I am after for the moment....

Regards, Mark Leman

Title: Re: SVN contrib - restrict external access by user?
Post by: markleman on May 11, 2010, 05:49:38 PM

Thanks Cactus,
You posted your reply whilst I was composing mine.
Any help would be much appreciated :-)

Regards,
Mark Leman

Title: Re: SVN contrib - restrict external access by user?
Post by: cactus on May 11, 2010, 05:53:04 PM

Quote from: markleman on May 11, 2010, 05:47:43 PM

So for my next trick I just need to work out
1) How to restrict access by interface (internal/external eth0/eth1 etc) in httpd.conf - looks like the 'allow from' lines

Yes this is done using basic apache configration directives defined by mod_access (http://httpd.apache.org/docs/2.0/mod/mod_access.html), check the link for the possibilities.

Quote from: markleman on May 11, 2010, 05:47:43 PM

2) Modify 28SubversionContent

Make sure you create a copy according to the template mechanism in a relative tree in the templates-custom tree as that will override the original fragment and survive configuration changes and updates. Direct modifications to the original template might be lost on updates. For more details on the template logic and it's functions see the SME Server Dvelopers Manual linked in the Documentation section of the wiki.

Title: Re: SVN contrib - restrict external access by user?
Post by: markleman on May 11, 2010, 06:15:33 PM

Ok, I can see that for each repository which is set to 'Access Private' as block of code is generated in httpd.conf

Code: [Select]

       # Read access:
        #  User(s) : user_x user_y user z
        <Limit GET PROPFIND OPTIONS REPORT>
            order deny,allow
            deny from all
            allow from 127.0.0.1 xxx.xxx.xxx.0/255.255.255.0
            Require user user_x user_y user z
            Satisfy all
        </Limit>

        # Full access:
        #  User(s) : user_x user_y user z
        <LimitExcept GET PROPFIND OPTIONS REPORT>
            order deny,allow
            deny from all
            allow from 127.0.0.1 xxx.xxx.xxx.0/255.255.255.0
            Require user user_x user_y user z
            Satisfy all
        </LimitExcept>
but for each repository which is set to 'Access Global' the 'allow from' lines become:

Code: [Select]

allow from all
I can see the code in the template that generates this, so what I propose to do is duplicate that block of code twice code and modify it so the first copy generates group access limited to the local network and the second copy generates users access based on the 'Access' setting.

A bit of a kludge but will do for the moment....

Regards,
Mark Leman

Title: Re: SVN contrib - restrict external access by user?
Post by: markleman on May 11, 2010, 06:16:42 PM

Quote from: cactus on May 11, 2010, 05:53:04 PM

Make sure you create a copy according to the template mechanism in a relative tree in the templates-custom tree as that will override the original fragment and survive configuration changes and updates.

Will do, thanks