2

I want our developers (including moi) to be able to run svn update as user www-data on our server, for file/directory permissions.

My solution was to grant access to run sudo -u www-data svn with NOPASSWD in visudo. I also added an alias for this command, and named it svn to make it transparent for our developers.

This works, but I am asked for svn credentials every time (it doesn't save, even if I tell it to). I am thinking about adding the -i parameter, though I thought I should check with you guys first :)

How do I make this as smooth as running the svn update command normally?

Clarification: It is working now. I just don't want to enter my svn credentials every time I run svn update :)

Improve this question
2
  • If you show your line in the sudoers file, we might see what's wrong. Perhaps you should include a full path to the svn binary in the sudoers file. (The sudoers file is what you edit with the visudo command) Commented Nov 25, 2009 at 15:08
  • From sudoers file: %admins ALL=(www-data) NOPASSWD: /usr/bin/svn Commented Nov 25, 2009 at 15:15

4 Answers 4

Reset to default
4

I am not entirely sure, but passing -H as an argument to sudo might take care of the credentials issue (being asked each time).

This will set the HOME environment variable to /root by default, so I would guess that then the svn client my then know to look in /root/.subversion for the auth information. Specify a different home directory for wherever the credentials should be for your specific case. Also, make sure whatever use can write/read to that file.

Improve this answer
2
  • 1
    -H will set HOME to default homedir of the user specified; since he's using it with -u www-data that'll probably be /var/www (i think that's default on ubuntu; check /etc/passwd to be sure). otherwise this sounds reasonable. Commented Nov 25, 2009 at 16:49
  • This sounds like the solution I was looking for. I think the problem is that it is trying to store the SVN password in my home, and fails because it hasn't write access. Commented Nov 25, 2009 at 22:05
1

Isn't this what setuid was made for? Create a script or compiled binary (depending on your security requirements) that does the update (one system call should do it), and have it setuid and owned by www-data.

Improve this answer
3
  • umm... setuid on the svn binary?? only if that's the only user you ever want to use svn on that system. Commented Nov 25, 2009 at 16:51
  • No; write a short compiled program or script that does what you want (depending on security concerns) and run that setuid. Commented Nov 25, 2009 at 17:40
  • ah. that makes sense; should edit your answer to include such details. Commented Nov 25, 2009 at 18:27
1

Why not try running it with svn update --username wwwdata

Improve this answer
0

This behaviour is implemented differently between different distros - which are you using?

For RHEL5:

 Cmnd_Alias SVN = /usr/bin/svn herbert ALL = NOPASSWD: SVN

Alternatively you can achieve the same thing with a single script (to restrict the user to a subset of the target program's functionality)

Improve this answer
1
  • Ubuntu 9.x is my dist Commented Nov 25, 2009 at 15:29

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.