避免让 subversion 修改 Linux 文件权限。

发布于 2024-11-06 09:26:59 字数 816 浏览 4 评论 0原文

我的所有代码库都存储在一个 subversion 存储库中,我将该存储库分散在负载平衡的 Apache Web 服务器中,从而可以轻松检查代码、运行更新以及无缝地将开发中的代码转移到生产中。

我确信有一个简单的解决方法(除了在每次签出时执行脚本之外)的不便之处之一是在使用 subversion 更新或签出的文件上获取(返回)Linux 权限集。我们的安全团队已在 httpd.conf 文件中设置 OwnerGroup,以及 documentRoot< 中的所有目录/code> 接收 700 权限,所有非可执行文件(例如 *.php、*.smarty、*.png)接收 Linux 权限 600,所有可执行文件接收 700(例如 *.sh、*.pl、*. py)。所有文件的所有者和组必须设置为 apache:apache 才能被 httpd 服务读取,因为只有文件所有者被设置为可以通过权限进行访问。

每次我运行 svn updatesvn co 时,即使可能未创建文件(即 svn update),我也会发现文件的所有权被设置为运行 svn 命令的帐户,并且通常情况下,文件权限被设置为不同于最初的权限(即更新前的 .htm 文件为 600,但在svn update之后,它被设置为755,甚至777)。

绕过 Subversion 更新文件权限和所有权的尝试的最简单方法是什么?是否可以在svn客户端内或Linux服务器上做一些事情来保留原始文件权限?我正在运行 RHEL5(现在在一些选定的实例上运行 6)。

All of my code base is being stored in a subversion repository that I disperse amongst my load balanced Apache web servers, making it easy to check out code, run updates, and seamlessly get my code in development onto production.

One of the inconveniences that I'm sure there is a easy work around for (other than executing a script upon every checkout), is getting the Linux permissions set (back) on files that are updated or checked out with subversion. Our security team has it set that the Owner and Group set in the httpd.conf files, and all directories within the documentRoot receive permissions of 700, all non-executable files (e.g. *.php, *.smarty, *.png) receive Linux permissions of 600, all executable files receive 700 (e.g. *.sh, *.pl, *.py). All files must have owner and group set to apache:apache in order to be read by the httpd service since only the file owner is set to have access via the permissions.

Every time I run an svn update, or svn co, even though the files may not be created (i.e. svn update), I'm finding that the ownership of the files is getting set to the account that is running the svn commands, and often times, the file permissions are getting set to something other than what they were originally (i.e. a .htm file before an update is 600, but after and svn update, it gets set to 755, or even 777).

What is the easiest way to bypass subversion's attempts at updating the file permissions and ownership? Is there something that can be done within the svn client, or on the Linux server to retain the original file permissions? I'm running RHEL5 (and now 6 on a few select instances).

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

魂归处 2024-11-13 09:26:59

文件的所有者将被设置为运行 svn 命令的用户,因为它如何实现底层 up 命令 - 它删除并替换更新的文件,这将导致所有权“更改”到相关用户。防止这种情况的唯一方法是以文件所属的用户身份实际执行 svn up。如果您想确保它们由特定用户拥有,请以该用户身份运行该命令。

关于权限,svn 仅遵循帐户的 umask 设置 - 可能类似于 066 - 为了确保组和其他帐户无法访问该文件,您需要在执行 svn 之前发出“umask 077” up,这确保只有发出命令的用户帐户才能访问这些文件。

我会注意将颠覆数据部署到 Web 服务器的安全问题,除非 .svn 目录受到保护。

the owner of the files will be set to the user that is running the svn command because of how it implements the underlying up command - it removes and replaces files that are updated, which will cause the ownership to 'change' to the relevant user. The only way to prevent this is to actually perform the svn up as the user that the files are supposed to be owned as. If you want to ensure that they're owned by a particular user, then run the command as that user.

With regards to the permissions, svn is only obeying the umask settings of the account - it's probably something like 066 - in order to ensure that the file is inaccessible to group and other accounts, you need to issue 'umask 077' before performing the svn up, this ensures that the files are only accessible to the user account issuing the command.

I'd pay attention to the security issue of deploying the subversion data into the web server unless the .svn directories are secured.

凉栀 2024-11-13 09:26:59

您可以在 Subversion 中存储文件的属性(请参阅 http://svnbook.red- bean.com/en/1.0/ch07s02.html)。您对 svn:executable 属性特别感兴趣,它将确保存储可执行权限。

不过,没有通用的方法可以对所有权限执行此操作。 Subversion 也不存储所有权 - 它假设,如果您签出某些内容,您就拥有它。

You can store properties on a file in Subversion (see http://svnbook.red-bean.com/en/1.0/ch07s02.html). You're particularly interested in the svn:executable property, which will make sure that the executable permission is stored.

There's no general way to do this for all permissions, though. Subversion doesn't store ownership either - it assumes that, if you check something out, you own it.

〃安静 2024-11-13 09:26:59

你可以解决这个问题。使用setgid

  1. 您有 apache:apache 正在运行服务器

  2. 对所有文件和目录设置组权限。服务器将按其组读取文件

  3. 在所有目录上设置setgid - 仅在目录上:在文件上设置此功能具有不同的功能

    示例(“2”是 setgid):

    chmod 2750

  4. apache 设为所有目录的组

发生的情况是

  • 由 < 创建的新文件和目录strong>任何帐户将归apache组所有

  • 新目录将继承setgid,从而毫不费力地保留结构

即可查看https://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

You can solve this. Use setgid.

  1. You have apache:apache running the server

  2. Set group permission on all files and directories. The server will read files by it's group

  3. Set setgid on all directories - only on directories: setting this on files has a different function

    Example ('2' is setgid):

    chmod 2750

  4. Make apache the group of all directories

What happens is

  • New files and directories created by any account will be owned by the apache group

  • New directories will inherit the setgid and thus preserve the structure without any effort

See https://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

离去的眼神 2024-11-13 09:26:59

您可能会考虑做的一件事是在路径之外安装 svn 二进制文件,并在路径中放置一个替换脚本(位于并称为 /usr/bin/svn 或其他)小路。该脚本看起来像这样:

#!/bin/sh

# set umask, whatever else you need to do before svn commands

/opt/svn/svn $* # pass all arguments to the actual svn binary, stored outside the PATH

# run chmod, whatever else you need to do after svn commands

一个明显的缺点是您可能必须对传递给 svn 的参数进行一些解析,即这样您就可以将相同的路径传递给 chmod,而不是为大多数 svn 命令运行 chmod等等。

这里可能还存在一些安全考虑。我不知道您的部署环境是什么样的,但您可能应该进一步调查一下。

One thing you may consider doing is installing the svn binary outside your path, and putting a replacement script (at and called /usr/bin/svn, or whatever) in the path. The script would look something like this:

#!/bin/sh

# set umask, whatever else you need to do before svn commands

/opt/svn/svn $* # pass all arguments to the actual svn binary, stored outside the PATH

# run chmod, whatever else you need to do after svn commands

A definite downside is that you'll probably have to do some amount of parsing of the arguments passed to svn, i.e. so you can pass the same path to your chmod, not run chmod for most svn commands, etc.

There are also probably some security considerations here. I don't know what your deployment environment is like, but you should probably investigate that a bit further.

著墨染雨君画夕 2024-11-13 09:26:59

我编写了一个小脚本,用于存储权限和所有者、执行 SVN 命令并恢复权限和所有者。
它可能不是防黑客的,但对于私人用途来说它可以完成工作。

svnupdate.sh:

#!/usr/bin/env bash
if [ $# -eq 0 ]; then
    echo "Syntax: $0 <filename>"
    exit
fi

IGNORENEXT=0
COMMANDS=''
FILES='';
for FILENAME in "$@"
do
    if [[ $IGNORENEXT > 0 ]]; then
        IGNORENEXT=0
    else
        case $FILENAME in
            # global, shift argument if needed
            --username|--password|--config-dir|--config-option)
            IGNORENEXT=1
            ;;
            --no-auth-cache|--non-interactive|--trust-server-cert)
            ;;
            # update arguments, shift argument if needed
            -r|--revision|--depth|--set-depth|--diff3-cmd|--changelist|--editor-cmd|--accept)
            IGNORENEXT=1
            ;;
            -N|--non-recursive|-q|--quiet|--force|--ignore-externals)
            ;;
            *)
            if [ -f $FILENAME ]; then
                FILES="$FILES $FILENAME"
                OLDPERM=$(stat -c%a $FILENAME)
                OLDOWNER=$(stat -c%U $FILENAME)
                OLDGROUP=$(stat -c%G $FILENAME)
                FILECOMMANDS="chmod $OLDPERM $FILENAME; chown $OLDOWNER.$OLDGROUP $FILENAME;"
                COMMANDS="$COMMANDS $FILECOMMANDS"
                echo "COMMANDS: $FILECOMMANDS"
            else
                echo "File not found: $FILENAME"
            fi
            ;;
        esac
    fi
done
OUTPUT=$(svn update "$@")
echo "$OUTPUT"
if [[ ( $? -eq 0 ) && ( $OUTPUT != Skipped* ) && ( $OUTPUT != "At revision"* ) ]]; then
    bash -c "$COMMANDS"
    ls -l $FILES
fi

I wrote a small script that stores permissions and owner, executes your SVN command and restores permissions and owner.
It is probably is not hackerproof but for private use it does the job.

svnupdate.sh:

#!/usr/bin/env bash
if [ $# -eq 0 ]; then
    echo "Syntax: $0 <filename>"
    exit
fi

IGNORENEXT=0
COMMANDS=''
FILES='';
for FILENAME in "$@"
do
    if [[ $IGNORENEXT > 0 ]]; then
        IGNORENEXT=0
    else
        case $FILENAME in
            # global, shift argument if needed
            --username|--password|--config-dir|--config-option)
            IGNORENEXT=1
            ;;
            --no-auth-cache|--non-interactive|--trust-server-cert)
            ;;
            # update arguments, shift argument if needed
            -r|--revision|--depth|--set-depth|--diff3-cmd|--changelist|--editor-cmd|--accept)
            IGNORENEXT=1
            ;;
            -N|--non-recursive|-q|--quiet|--force|--ignore-externals)
            ;;
            *)
            if [ -f $FILENAME ]; then
                FILES="$FILES $FILENAME"
                OLDPERM=$(stat -c%a $FILENAME)
                OLDOWNER=$(stat -c%U $FILENAME)
                OLDGROUP=$(stat -c%G $FILENAME)
                FILECOMMANDS="chmod $OLDPERM $FILENAME; chown $OLDOWNER.$OLDGROUP $FILENAME;"
                COMMANDS="$COMMANDS $FILECOMMANDS"
                echo "COMMANDS: $FILECOMMANDS"
            else
                echo "File not found: $FILENAME"
            fi
            ;;
        esac
    fi
done
OUTPUT=$(svn update "$@")
echo "$OUTPUT"
if [[ ( $? -eq 0 ) && ( $OUTPUT != Skipped* ) && ( $OUTPUT != "At revision"* ) ]]; then
    bash -c "$COMMANDS"
    ls -l $FILES
fi
花辞树 2024-11-13 09:26:59

我也有类似的问题。
我发现了一个很酷的脚本:asvn (Archive SVN)。

您可以在这里下载:
https://svn.apache.org/repos/asf /subversion/trunk/contrib/client-side/asvn

<前><代码>说明:
Archive SVN (asvn) 将允许记录不支持的文件类型
通常由 svn 处理。目前这包括设备、
符号链接和文件所有权/权限。

每个文件和目录都有一个“file:permissions”属性集
每个目录都有一个“dir:devices”和“dir:symlinks”
记录额外的信息。

使用普通 svn 参数运行此脚本而不是 svn。

此博客条目(帮助我找到脚本)http://jon.netdork.net/2010/06/28/configuration-management-part-ii-setting-up-svn/ 显示了一个简单的用法。

I also had a similar problem.
I found a cool script: asvn (Archive SVN).

You can download it here:
https://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/asvn

Description:
Archive SVN (asvn) will allow the recording of file types not
normally handled by svn. Currently this includes devices,
symlinks and file ownership/permissions.

Every file and directory has a 'file:permissions' property set and
every directory has a 'dir:devices' and 'dir:symlinks' for
recording the extra information.

Run this script instead of svn with the normal svn arguments.

This blog entry (which helps me to find script) http://jon.netdork.net/2010/06/28/configuration-management-part-ii-setting-up-svn/ shows a simple usage.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文