running subversion as non-root
Giorgos Keramidas
keramida at ceid.upatras.gr
Tue Nov 1 04:56:24 PST 2005
On 2005-11-01 07:50, Cerion Armour-Brown <cerion at terpsichore.ws> wrote:
>On Tue, 1 Nov 2005 14:41:45 +0200, Giorgos Keramidas wrote
>>On 2005-11-01 05:57, Cerion Armour-Brown <cerion at terpsichore.ws> wrote:
>>> Running subversion as root works fine, but under user 'svn' I get a load of
>>> permission problems, e.g.
>>> /usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/apache2/libaprutil-0.so.9"
>>>
>>> I fixed this by adding svn to group wheel, but am not sure if this is 'the
>>> right way'. Is there a standard solution to this?
>>
>> What are the permissions of all the path components up to and
>> including the library that fails to load?
>>
>> Something like this could print all the path components and their
>> permissions:
>>
>> ls -ld $(
>> libpath='/usr/local/lib/apache2/libaprutil-0.so.9'
>> while [ -n "${libpath}" ] && [ ! "${libpath_prev}" = "${libpath}" ]; do
>> echo "${libpath}"
>> libpath_prev="${libpath}"
>> libpath=$(dirname "${libpath}")
>> done )
>
> drwxr-xr-x 15 root wheel 512 Jun 3 10:05 //
> drwxr-xr-x 16 root wheel 512 Oct 31 15:05 /usr/
> drwxr-xr-x 17 root wheel 512 Oct 31 15:45 /usr/local/
> drwxr-xr-x 14 root wheel 4608 Nov 1 10:09 /usr/local/lib/
> drwxr-xr-x 2 root wheel 512 Oct 31 13:43 /usr/local/lib/apache2/
> -rwxr-x--- 1 root wheel 89832 Oct 31 13:43 /usr/local/lib/apache2/libaprutil-0.so.9*
> lrwxr-x--- 1 root wheel 17 Oct 31 13:43 /usr/local/lib/apache2/libaprutil-0.so@ -> libaprutil-0.so.9
>
> this look like yours?
No, since I don't run apache2 from the ports here, but at least
it's obvious why you have to be in the wheel group to access the
libaprutil-0.so files :)
The owner of libaprutil-0.so.9 and libaprutil-0.so is root:wheel
and their permissions allow read/execute access to all the wheel
members, but not to anyone else.
I'm not sure if this was done for security reasons, but IMHO you
have two options:
(1) Add the 'svn' user to the wheel group. This is not a
good idea, as being a part of the wheel group gives
permissions that subversion doesn't really need.
(2) Change the permissions of libaprutil*.so* files to 0755,
which would allow subversion to access the shared
libraries without being in the wheel group.
I'd go for option (2) if I were you.
- Giorgos
More information about the freebsd-questions
mailing list