From owner-freebsd-questions@FreeBSD.ORG Tue Nov 1 12:56:24 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F1CD16A41F for ; Tue, 1 Nov 2005 12:56:24 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from kane.otenet.gr (kane.otenet.gr [195.170.0.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7789943D46 for ; Tue, 1 Nov 2005 12:56:23 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from flame.pc (aris.bedc.ondsl.gr [62.103.39.226]) by kane.otenet.gr (8.13.4/8.13.4/Debian-1) with SMTP id jA1CuLbt024914; Tue, 1 Nov 2005 14:56:21 +0200 Received: from flame.pc (flame [127.0.0.1]) by flame.pc (8.13.4/8.13.4) with ESMTP id jA1CuKLD002351; Tue, 1 Nov 2005 14:56:20 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by flame.pc (8.13.4/8.13.4/Submit) id jA1CuHKT002350; Tue, 1 Nov 2005 14:56:17 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Tue, 1 Nov 2005 14:56:17 +0200 From: Giorgos Keramidas To: Cerion Armour-Brown Message-ID: <20051101125617.GA2318@flame.pc> References: <20051101105745.M78709@terpsichore.ws> <20051101124144.GA1568@flame.pc> <20051101125015.M15158@terpsichore.ws> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051101125015.M15158@terpsichore.ws> Cc: freebsd-questions@freebsd.org Subject: Re: running subversion as non-root X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Nov 2005 12:56:24 -0000 On 2005-11-01 07:50, Cerion Armour-Brown wrote: >On Tue, 1 Nov 2005 14:41:45 +0200, Giorgos Keramidas wrote >>On 2005-11-01 05:57, Cerion Armour-Brown wrote: >>> Running subversion as root works fine, but under user 'svn' I get a load of >>> permission problems, e.g. >>> /usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/apache2/libaprutil-0.so.9" >>> >>> I fixed this by adding svn to group wheel, but am not sure if this is 'the >>> right way'. Is there a standard solution to this? >> >> What are the permissions of all the path components up to and >> including the library that fails to load? >> >> Something like this could print all the path components and their >> permissions: >> >> ls -ld $( >> libpath='/usr/local/lib/apache2/libaprutil-0.so.9' >> while [ -n "${libpath}" ] && [ ! "${libpath_prev}" = "${libpath}" ]; do >> echo "${libpath}" >> libpath_prev="${libpath}" >> libpath=$(dirname "${libpath}") >> done ) > > drwxr-xr-x 15 root wheel 512 Jun 3 10:05 // > drwxr-xr-x 16 root wheel 512 Oct 31 15:05 /usr/ > drwxr-xr-x 17 root wheel 512 Oct 31 15:45 /usr/local/ > drwxr-xr-x 14 root wheel 4608 Nov 1 10:09 /usr/local/lib/ > drwxr-xr-x 2 root wheel 512 Oct 31 13:43 /usr/local/lib/apache2/ > -rwxr-x--- 1 root wheel 89832 Oct 31 13:43 /usr/local/lib/apache2/libaprutil-0.so.9* > lrwxr-x--- 1 root wheel 17 Oct 31 13:43 /usr/local/lib/apache2/libaprutil-0.so@ -> libaprutil-0.so.9 > > this look like yours? No, since I don't run apache2 from the ports here, but at least it's obvious why you have to be in the wheel group to access the libaprutil-0.so files :) The owner of libaprutil-0.so.9 and libaprutil-0.so is root:wheel and their permissions allow read/execute access to all the wheel members, but not to anyone else. I'm not sure if this was done for security reasons, but IMHO you have two options: (1) Add the 'svn' user to the wheel group. This is not a good idea, as being a part of the wheel group gives permissions that subversion doesn't really need. (2) Change the permissions of libaprutil*.so* files to 0755, which would allow subversion to access the shared libraries without being in the wheel group. I'd go for option (2) if I were you. - Giorgos