running subversion as non-root
Cerion Armour-Brown
cerion at terpsichore.ws
Tue Nov 1 05:16:57 PST 2005
On Tue, 1 Nov 2005 14:56:17 +0200, Giorgos Keramidas wrote
> On 2005-11-01 07:50, Cerion Armour-Brown <cerion at terpsichore.ws> wrote:
> >On Tue, 1 Nov 2005 14:41:45 +0200, Giorgos Keramidas wrote
> >>On 2005-11-01 05:57, Cerion Armour-Brown <cerion at terpsichore.ws> wrote:
> >>> Running subversion as root works fine, but under user 'svn' I get a load of
> >>> permission problems, e.g.
> >>> /usr/libexec/ld-elf.so.1: Cannot open
"/usr/local/lib/apache2/libaprutil-0.so.9"
> >>>
> >>> I fixed this by adding svn to group wheel, but am not sure if this is 'the
> >>> right way'. Is there a standard solution to this?
> >>
> >> What are the permissions of all the path components up to and
> >> including the library that fails to load?
> >>
> >> Something like this could print all the path components and their
> >> permissions:
> >>
> >> ls -ld $(
> >> libpath='/usr/local/lib/apache2/libaprutil-0.so.9'
> >> while [ -n "${libpath}" ] && [ ! "${libpath_prev}" = "${libpath}"
]; do
> >> echo "${libpath}"
> >> libpath_prev="${libpath}"
> >> libpath=$(dirname "${libpath}")
> >> done )
> >
> > drwxr-xr-x 15 root wheel 512 Jun 3 10:05 //
> > drwxr-xr-x 16 root wheel 512 Oct 31 15:05 /usr/
> > drwxr-xr-x 17 root wheel 512 Oct 31 15:45 /usr/local/
> > drwxr-xr-x 14 root wheel 4608 Nov 1 10:09 /usr/local/lib/
> > drwxr-xr-x 2 root wheel 512 Oct 31 13:43 /usr/local/lib/apache2/
> > -rwxr-x--- 1 root wheel 89832 Oct 31 13:43
/usr/local/lib/apache2/libaprutil-0.so.9*
> > lrwxr-x--- 1 root wheel 17 Oct 31 13:43
/usr/local/lib/apache2/libaprutil-0.so@ -> libaprutil-0.so.9
> >
> > this look like yours?
>
> I'm not sure if this was done for security reasons, but IMHO you
> have two options:
>
> (1) Add the 'svn' user to the wheel group. This is not a
> good idea, as being a part of the wheel group gives
> permissions that subversion doesn't really need.
>
> (2) Change the permissions of libaprutil*.so* files to 0755,
> which would allow subversion to access the shared
> libraries without being in the wheel group.
>
> I'd go for option (2) if I were you.
>
> - Giorgos
My instinct was the same, and I tried this, but there are more libs with the
same permissions problems...
/usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/libdb-4.2.so.2"
and if i fix that one...
/usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/apache2/libapr-0.so.9"
This really doesn't seem the right way of doing things... is there no 3rd way?
Cerion
More information about the freebsd-questions
mailing list