what are correct permissions for trac with two svn repos and user sets?
9 views
Skip to first unread message
Skye Bender-deMoll
Sep 27, 2012, 12:58:45 PM9/27/12
to trac-...@googlegroups.com
Dear trac-ers,
I'm having difficulty configuring repository permissions correctly for
our use scenario.
We have:
A single Trac instance managing a complex project involving two svn
repositories.
A partially overlapping set of users who should be able to view and
commit to each repository.
Trac 0.12.2 is being served via Apache on a Debian system.
Users commit code using svn+ssh://<unix_username>@svnhost
Repository code browsing permissions are managed using the Trac http
login and AuthZ permissions file to control who can see which repository.
My concept for the unix permissions scheme is that we have three unix
groups "svn-repo-A", "svn-repo-B" and "svn-both". Users are in either
the A or B group, the Trac files are owned by "www-data" with full
permissions from the "svn-both" group, so that post-commit scripts can
be run when users commit to either repository. Repositories are owned
and readable by "www-data" and have the appropriate svn group. My
thought was that if "www-data" can read the repositories, Trac should be
able to browse the code (subject to the AuthZ permissions), and the unix
users should still be restricted to viewing only the appropriate
repository when they ssh in.
Everything seems to work fine, except that I can only get Trac repo
browsing to work if the repositories are set to world-readable, which
kind of defeats the purpose of having the separate unix permissions on
the repositories (since users can view other repository via ssh). Am I
thinking about this wrong? Or do I just have something configured wrong
somewhere?
Thanks for your help,
-skye
I'm having difficulty configuring repository permissions correctly for
our use scenario.
We have:
A single Trac instance managing a complex project involving two svn
repositories.
A partially overlapping set of users who should be able to view and
commit to each repository.
Trac 0.12.2 is being served via Apache on a Debian system.
Users commit code using svn+ssh://<unix_username>@svnhost
Repository code browsing permissions are managed using the Trac http
login and AuthZ permissions file to control who can see which repository.
My concept for the unix permissions scheme is that we have three unix
groups "svn-repo-A", "svn-repo-B" and "svn-both". Users are in either
the A or B group, the Trac files are owned by "www-data" with full
permissions from the "svn-both" group, so that post-commit scripts can
be run when users commit to either repository. Repositories are owned
and readable by "www-data" and have the appropriate svn group. My
thought was that if "www-data" can read the repositories, Trac should be
able to browse the code (subject to the AuthZ permissions), and the unix
users should still be restricted to viewing only the appropriate
repository when they ssh in.
Everything seems to work fine, except that I can only get Trac repo
browsing to work if the repositories are set to world-readable, which
kind of defeats the purpose of having the separate unix permissions on
the repositories (since users can view other repository via ssh). Am I
thinking about this wrong? Or do I just have something configured wrong
somewhere?
Thanks for your help,
-skye
RjOllos
Sep 27, 2012, 3:49:02 PM9/27/12
to trac-...@googlegroups.com, skye...@skyeome.net
On Thursday, September 27, 2012 10:03:14 AM UTC-7, skyebend wrote:
Everything seems to work fine, except that I can only get Trac repo
browsing to work if the repositories are set to world-readable, which
kind of defeats the purpose of having the separate unix permissions on
the repositories (since users can view other repository via ssh). Am I
thinking about this wrong? Or do I just have something configured wrong
somewhere?
Have you setup TracFineGrainedPermission for the repository browsing?: http://trac.edgewall.org/wiki/TracFineGrainedPermissions
Reply all
Reply to author
Forward
0 new messages