|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
||||
Subversion on OpenBSD: svnserve+sasl
Hi, I would like to set up a fast, simple (lightweight), secure Subversion repository server on OpenBSD. I've found the svnbook (and the chapter on Server Configuration) and I think I need the svnserve+sasl configuration. The Built-in Authentication and Authorization would work except the repository data is sent over the network in the clear. Tunneling over SSH seems simple but I don't want svn users to have ssh (system user) accounts.
This is what I'm working with: $ dmesg | head -n 2 Code:
OpenBSD 5.8-stable (GENERIC) #1: Sun Feb 28 17:25:17 EST 2016 root@minerva.bohemia.net:/usr/src/sys/arch/i386/compile/GENERIC $ svnserve --version Code:
svnserve, version 1.8.14 (r1692801) compiled Mar 13 2016, 22:49:48 on i386-unknown-openbsd5.8 Copyright (C) 2015 The Apache Software Foundation. This software consists of contributions made by many people; see the NOTICE file for more information. Subversion is open source software, see http://subversion.apache.org/ The following repository back-end (FS) modules are available: * fs_fs : Module for working with a plain file (FSFS) repository. * fs_base : Module for working with a Berkeley DB repository. Cyrus SASL authentication is available. $ svn --version Code:
svn, version 1.8.14 (r1692801) compiled Mar 13 2016, 22:49:48 on i386-unknown-openbsd5.8 Copyright (C) 2015 The Apache Software Foundation. This software consists of contributions made by many people; see the NOTICE file for more information. Subversion is open source software, see http://subversion.apache.org/ The following repository access (RA) modules are available: * ra_svn : Module for accessing a repository using the svn network protocol. - with Cyrus SASL authentication - handles 'svn' scheme * ra_local : Module for accessing a repository on local disk. - handles 'file' scheme * ra_serf : Module for accessing a repository via WebDAV protocol using serf. - using serf 1.3.8 - handles 'http' scheme - handles 'https' scheme So the real question is: Does anyone know of an OpenBSD/svnserve+sasl How-To configuration guide? If not, does anyone want to help me develop one? Last edited by hanzer; 9th April 2016 at 12:07 AM. Reason: s/quote/code/g |
|
||||
Update
I think I've cobbled together something that basically works but it's not entirely finished and it almost certainly needs some refinement and sanity checks. Here's the process:
# groupadd _svn # useradd -d /var/svn -m -c "Subversion svnserve" -g _svn -L daemon -s /sbin/nologin _svn # rm -rf /var/svn/.* See: How to add a user/group for a daemon$ doas -u _svn svnadmin create /var/svn/project-A $ doas -u _svn vi /var/svn/project-A/conf/svnserve.conf Code:
[general] anon-access = none auth-access = write realm = minerva.bohemia.net [sasl] use-sasl = true min-encryption = 128 max-encryption = 256 $ doas vi /usr/local/lib/sasl2/svn.conf Code:
pwcheck_method: auxprop auxprop_plugin: sasldb sasldb_path: /etc/my_sasldb mech_list: DIGEST-MD5 $ doas chgrp bin /usr/local/lib/sasl2/svn.conf $ doas saslpasswd2 -c -f /etc/my_sasldb -a svnserve -u minerva.bohemia.net hanzer $ doas chown _svn:_svn /etc/my_sasldb.db # doas -u _svn svnserve -d -r /var/svn $ svn mkdir svn://minerva.bohemia.net/project-A/{trunk,tags,branches} -m "Creating basic directory structure" Code:
Authentication realm: <svn://minerva.bohemia.net:3690> minerva.bohemia.net Password for 'hanzer': ********** $ svn list svn://minerva.bohemia.net/project-A Code:
Authentication realm: <svn://minerva.bohemia.net:3690> minerva.bohemia.net Password for 'hanzer': ********** branches/ tags/ trunk/ |
|
||||
I'll guess that _svn does not have the authority to create files in /var/run, only root can write in that directory. If this is the problem, write your pid file where _svn has authority to write files.
You can debug an rc.subr(8) script with the -d option. |
|
||||
Quote:
/etc/rc.d/svnserve Code:
#!/bin/sh daemon="/usr/local/bin/svnserve" daemon_flags="-d" daemon_user="_svn" . /etc/rc.d/rc.subr rc_cmd $1 $ doas /etc/rc.d/svnserve -d start Code:
doing _rc_parse_conf doing _rc_quirks svnserve_flags >-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690< doing _rc_read_runfile doing rc_check svnserve doing rc_start You must specify exactly one of -d, -i, -t or -X. Type '/usr/local/bin/svnserve --help' for usage. doing _rc_rm_runfile (failed) Code:
#!/bin/sh daemon="/usr/local/bin/svnserve" daemon_flags="-d" daemon_user="_svn" . /etc/rc.d/rc.subr rc_start() { ${rcexec} "${daemon} -d ${daemon_flags}" } rc_cmd $1 $ doas /etc/rc.d/svnserve -d start Code:
doing _rc_parse_conf doing _rc_quirks svnserve_flags >-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690< doing _rc_read_runfile doing rc_check svnserve doing rc_start doing _rc_write_runfile (ok) Code:
#!/bin/sh daemon="/usr/local/bin/svnserve" daemon_flags="-d" daemon_user="_svn" . /etc/rc.d/rc.subr rc_start() { /bin/echo ${daemon_flags} /bin/echo ${svnserve_flags} ${rcexec} "${daemon} -d ${daemon_flags}" } rc_cmd $1 $ doas /etc/rc.d/svnserve -d start Code:
doing _rc_parse_conf doing _rc_quirks svnserve_flags >-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690< doing _rc_read_runfile doing rc_check svnserve doing rc_start -r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690 -r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690 doing _rc_write_runfile (ok) $ man rc.d says:Code:
daemon_flags Additional arguments to call the daemon with. These will be appended to any mandatory arguments already contained in the daemon variable defined in the control script. Code:
#!/bin/sh daemon="/usr/local/bin/svnserve -d" daemon_user="_svn" . /etc/rc.d/rc.subr rc_cmd $1 $ doas /etc/rc.d/svnserve -d start Code:
doing _rc_parse_conf doing _rc_quirks svnserve_flags >-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690< doing _rc_read_runfile doing rc_check svnserve doing rc_start doing _rc_write_runfile (ok) |
|
|||
In the man page, just below what you posted, it states that daemon_flags is overridden when you specify svnserve_flags. So as you saw, the -d needed to go in the daemon variable to always be added to the command.
Tim. |
|
||||
Quote:
I guess now it's time to refine the process and prepare to maybe post something in Guides. Do you (anyone) see any rough edges? For example, if sasl is used for other servers, the permissions on /etc/my_sasldb.db probably needs to be done differently. Last edited by hanzer; 10th April 2016 at 03:33 AM. |
|
||||
Does anyone know how svnserve might be run from a chroot jail?
The server is typically started with something like (from /etc/rc.d/svnserve, developed earlier in this thread): # svnserve -d -r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690 So a simplistic first attempt might be: # chroot -g _svn -u _svn /var/svn svnserve -d -r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690 or (notice the -r option): # chroot -g _svn -u _svn /var/svn svnserve -d -r / --listen-host=minerva.bohemia.net --listen-port=3690 I could start experimenting but I don't want to hose my repository and a backup/restore procedure hasn't been developed yet. Is it simple or should I prepare for some experimentation? |
|
|||
I haven't chrooted svnserve but I have done it with Java. You'll probably have to experiment to figure out the details of svnserve's needs.
Run ldd on the executable and see what shared libraries it built against. You then have to copy them all (including _p.a and .a files) into the chroot directory in the same layout as the real system. Since you're using a hostname, you might need etc/resolv.conf, also. You'll have to hack at it from there. Tim. |
|
||||
You may also discover you need more than dynamic libraries and their infrastructure files. If the application forks new processes, you will also need whatever filesystem components these child processes require. And if any process opens device special files, you will need to ensure the filesystem is not mounted with the nodev option.
Time to initiate a backup strategy, and test it, before you do anything else. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD Configure OpenBSD Sendmail with SASL | J65nko | News | 3 | 18th March 2013 01:53 AM |
Minimal Apache configuration file for subversion | Carpetsmoker | Guides | 0 | 18th May 2010 06:42 PM |
Subversion and system files | tanked | FreeBSD Ports and Packages | 4 | 23rd September 2008 06:44 PM |
FreeBSD making the move from CVS to Subversion | drhowarddrfine | FreeBSD Installation and Upgrading | 9 | 8th June 2008 05:29 PM |
Working Configuration for Openbsd 4.0 - Postfix - SASL - TLS | roundkat | Guides | 0 | 4th May 2008 05:38 PM |