Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 1 Nov 2005 14:56:17 +0200
From:      Giorgos Keramidas <keramida@ceid.upatras.gr>
To:        Cerion Armour-Brown <cerion@terpsichore.ws>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: running subversion as non-root
Message-ID:  <20051101125617.GA2318@flame.pc>
In-Reply-To: <20051101125015.M15158@terpsichore.ws>
References:  <20051101105745.M78709@terpsichore.ws> <20051101124144.GA1568@flame.pc> <20051101125015.M15158@terpsichore.ws>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-11-01 07:50, Cerion Armour-Brown <cerion@terpsichore.ws> wrote:
>On Tue, 1 Nov 2005 14:41:45 +0200, Giorgos Keramidas wrote
>>On 2005-11-01 05:57, Cerion Armour-Brown <cerion@terpsichore.ws> wrote:
>>> Running subversion as root works fine, but under user 'svn' I get a load of
>>> permission problems, e.g.
>>> /usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/apache2/libaprutil-0.so.9"
>>>
>>> I fixed this by adding svn to group wheel, but am not sure if this is 'the
>>> right way'.   Is there a standard solution to this?
>> 
>> What are the permissions of all the path components up to and
>> including the library that fails to load?
>> 
>> Something like this could print all the path components and their
>> permissions:
>> 
>>     ls -ld $(
>>         libpath='/usr/local/lib/apache2/libaprutil-0.so.9'
>>         while [ -n "${libpath}" ] && [ ! "${libpath_prev}" = "${libpath}" ]; do
>>             echo "${libpath}"
>>             libpath_prev="${libpath}"
>>             libpath=$(dirname "${libpath}")
>>         done )
> 
> drwxr-xr-x  15 root  wheel    512 Jun  3 10:05 //
> drwxr-xr-x  16 root  wheel    512 Oct 31 15:05 /usr/
> drwxr-xr-x  17 root  wheel    512 Oct 31 15:45 /usr/local/
> drwxr-xr-x  14 root  wheel   4608 Nov  1 10:09 /usr/local/lib/
> drwxr-xr-x   2 root  wheel    512 Oct 31 13:43 /usr/local/lib/apache2/
> -rwxr-x---   1 root  wheel  89832 Oct 31 13:43 /usr/local/lib/apache2/libaprutil-0.so.9*
> lrwxr-x---  1 root  wheel      17 Oct 31 13:43 /usr/local/lib/apache2/libaprutil-0.so@ -> libaprutil-0.so.9
> 
> this look like yours?

No, since I don't run apache2 from the ports here, but at least
it's obvious why you have to be in the wheel group to access the
libaprutil-0.so files :)

The owner of libaprutil-0.so.9 and libaprutil-0.so is root:wheel
and their permissions allow read/execute access to all the wheel
members, but not to anyone else.

I'm not sure if this was done for security reasons, but IMHO you
have two options:

    (1) Add the 'svn' user to the wheel group.  This is not a
        good idea, as being a part of the wheel group gives
        permissions that subversion doesn't really need.

    (2) Change the permissions of libaprutil*.so* files to 0755,
        which would allow subversion to access the shared
        libraries without being in the wheel group.

I'd go for option (2) if I were you.

- Giorgos




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051101125617.GA2318>