DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: {cyborg, psyborg, sciborg} [non-]space
Posts: 182
Default Subversion on OpenBSD: svnserve+sasl

Hi, I would like to set up a fast, simple (lightweight), secure Subversion repository server on OpenBSD. I've found the svnbook (and the chapter on Server Configuration) and I think I need the svnserve+sasl configuration. The Built-in Authentication and Authorization would work except the repository data is sent over the network in the clear. Tunneling over SSH seems simple but I don't want svn users to have ssh (system user) accounts.

This is what I'm working with:

$ dmesg | head -n 2
Code:
OpenBSD 5.8-stable (GENERIC) #1: Sun Feb 28 17:25:17 EST 2016
    root@minerva.bohemia.net:/usr/src/sys/arch/i386/compile/GENERIC
$ svnserve --version
Code:
svnserve, version 1.8.14 (r1692801)
   compiled Mar 13 2016, 22:49:48 on i386-unknown-openbsd5.8

Copyright (C) 2015 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository back-end (FS) modules are available:

* fs_fs : Module for working with a plain file (FSFS) repository.
* fs_base : Module for working with a Berkeley DB repository.

Cyrus SASL authentication is available.
$ svn --version
Code:
svn, version 1.8.14 (r1692801)
   compiled Mar 13 2016, 22:49:48 on i386-unknown-openbsd5.8

Copyright (C) 2015 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.8
  - handles 'http' scheme
  - handles 'https' scheme
I noticed that there is an /etc/rc.d script for saslauthd but there is not a script for svnserve.

So the real question is: Does anyone know of an OpenBSD/svnserve+sasl How-To configuration guide? If not, does anyone want to help me develop one?

Last edited by hanzer; 9th April 2016 at 12:07 AM. Reason: s/quote/code/g
Reply With Quote
  #2   (View Single Post)  
Old 9th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: {cyborg, psyborg, sciborg} [non-]space
Posts: 182
Default Update

I think I've cobbled together something that basically works but it's not entirely finished and it almost certainly needs some refinement and sanity checks. Here's the process:

# groupadd _svn

# useradd -d /var/svn -m -c "Subversion svnserve" -g _svn -L daemon -s /sbin/nologin _svn

# rm -rf /var/svn/.* See: How to add a user/group for a daemon

$ doas -u _svn svnadmin create /var/svn/project-A

$ doas -u _svn vi /var/svn/project-A/conf/svnserve.conf
Code:
[general]
anon-access = none
auth-access = write
realm = minerva.bohemia.net
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256
$ doas vi /usr/local/lib/sasl2/svn.conf
Code:
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/my_sasldb
mech_list: DIGEST-MD5
$ doas chgrp bin /usr/local/lib/sasl2/svn.conf

$ doas saslpasswd2 -c -f /etc/my_sasldb -a svnserve -u minerva.bohemia.net hanzer

$ doas chown _svn:_svn /etc/my_sasldb.db

# doas -u _svn svnserve -d -r /var/svn

$ svn mkdir svn://minerva.bohemia.net/project-A/{trunk,tags,branches} -m "Creating basic directory structure"
Code:
Authentication realm: <svn://minerva.bohemia.net:3690> minerva.bohemia.net
Password for 'hanzer': **********
$ svn list svn://minerva.bohemia.net/project-A
Code:
Authentication realm: <svn://minerva.bohemia.net:3690> minerva.bohemia.net
Password for 'hanzer': **********

branches/
tags/
trunk/
With this, I guess what's left is to write a /etc/rc.d/svnserve script that can accept flags (like "-r /var/svn") from /etc/rc.conf.local.
Reply With Quote
  #3   (View Single Post)  
Old 9th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: {cyborg, psyborg, sciborg} [non-]space
Posts: 182
Default Update

So far...

$ doas vi /etc/rc.d/svnserve
Code:
#!/bin/sh
daemon="/usr/local/bin/svnserve"
daemon_flags="-d --pid-file=/var/run/svnserve.pid"
daemon_user="_svn"
. /etc/rc.d/rc.subr
rc_usercheck=NO
rc_check=NO
rc_reload=NO
rc_cmd $1
$ doas chmod 555 /etc/rc.d/svnserve

And these modifications to /etc/rc.conf.local
Code:
svnserve_flags="-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690"
But...

$ doas /etc/rc.d/svnserve start
Code:
svnserve(failed)
Any ideas?

Last edited by hanzer; 10th April 2016 at 12:04 AM. Reason: clarity
Reply With Quote
  #4   (View Single Post)  
Old 10th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,370
Default

I'll guess that _svn does not have the authority to create files in /var/run, only root can write in that directory. If this is the problem, write your pid file where _svn has authority to write files.

You can debug an rc.subr(8) script with the -d option.
Reply With Quote
  #5   (View Single Post)  
Old 10th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: {cyborg, psyborg, sciborg} [non-]space
Posts: 182
Default

Quote:
Originally Posted by jggimi View Post
I'll guess that _svn does not have the authority to create files in /var/run, only root can write in that directory. If this is the problem, write your pid file where _svn has authority to write files.

You can debug an rc.subr(8) script with the -d option.
Cool, thanks! Here we go:

/etc/rc.d/svnserve
Code:
#!/bin/sh
daemon="/usr/local/bin/svnserve"
daemon_flags="-d"
daemon_user="_svn"
. /etc/rc.d/rc.subr
rc_cmd $1
$ doas /etc/rc.d/svnserve -d start
Code:
doing _rc_parse_conf
doing _rc_quirks
svnserve_flags >-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690<
doing _rc_read_runfile
doing rc_check
svnserve
doing rc_start
You must specify exactly one of -d, -i, -t or -X.
Type '/usr/local/bin/svnserve --help' for usage.
doing _rc_rm_runfile
(failed)
Hmm, trying:
Code:
#!/bin/sh
daemon="/usr/local/bin/svnserve"
daemon_flags="-d"
daemon_user="_svn"
. /etc/rc.d/rc.subr
rc_start() {
        ${rcexec} "${daemon} -d ${daemon_flags}"
}
rc_cmd $1
$ doas /etc/rc.d/svnserve -d start
Code:
doing _rc_parse_conf
doing _rc_quirks
svnserve_flags >-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690<
doing _rc_read_runfile
doing rc_check
svnserve
doing rc_start
doing _rc_write_runfile
(ok)
WTF? Ok, try this:
Code:
#!/bin/sh
daemon="/usr/local/bin/svnserve"
daemon_flags="-d"
daemon_user="_svn"
. /etc/rc.d/rc.subr
rc_start() {
        /bin/echo ${daemon_flags}
        /bin/echo ${svnserve_flags}
        ${rcexec} "${daemon} -d ${daemon_flags}"
}
rc_cmd $1
$ doas /etc/rc.d/svnserve -d start
Code:
doing _rc_parse_conf
doing _rc_quirks
svnserve_flags >-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690<
doing _rc_read_runfile
doing rc_check
svnserve
doing rc_start
-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690
-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690
doing _rc_write_runfile
(ok)
Hmm, $ man rc.d says:
Code:
daemon_flags    Additional arguments to call the daemon with.
                             These will be appended to any mandatory arguments
                             already contained in the daemon variable defined in
                             the control script.
So, maybe:
Code:
#!/bin/sh
daemon="/usr/local/bin/svnserve -d"
daemon_user="_svn"
. /etc/rc.d/rc.subr
rc_cmd $1
$ doas /etc/rc.d/svnserve -d start
Code:
doing _rc_parse_conf
doing _rc_quirks
svnserve_flags >-r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690<
doing _rc_read_runfile
doing rc_check
svnserve
doing rc_start
doing _rc_write_runfile
(ok)
Disco!
Reply With Quote
  #6   (View Single Post)  
Old 10th April 2016
TronDD TronDD is offline
Shell Scout
 
Join Date: Sep 2014
Posts: 113
Default

In the man page, just below what you posted, it states that daemon_flags is overridden when you specify svnserve_flags. So as you saw, the -d needed to go in the daemon variable to always be added to the command.

Tim.
Reply With Quote
  #7   (View Single Post)  
Old 10th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: {cyborg, psyborg, sciborg} [non-]space
Posts: 182
Default

Quote:
Originally Posted by TronDD View Post
In the man page, just below what you posted, it states that daemon_flags is overridden when you specify svnserve_flags. So as you saw, the -d needed to go in the daemon variable to always be added to the command.

Tim.
Yeah, it took a little wiggling before I found a working perspective and interpretation.

I guess now it's time to refine the process and prepare to maybe post something in Guides.

Do you (anyone) see any rough edges? For example, if sasl is used for other servers, the permissions on /etc/my_sasldb.db probably needs to be done differently.

Last edited by hanzer; 10th April 2016 at 03:33 AM.
Reply With Quote
  #8   (View Single Post)  
Old 24th April 2016
hanzer's Avatar
hanzer hanzer is offline
Real Name: Adam Jensen
cybernetic organism
 
Join Date: Oct 2013
Location: {cyborg, psyborg, sciborg} [non-]space
Posts: 182
Default

Does anyone know how svnserve might be run from a chroot jail?

The server is typically started with something like (from /etc/rc.d/svnserve, developed earlier in this thread):

# svnserve -d -r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690

So a simplistic first attempt might be:

# chroot -g _svn -u _svn /var/svn svnserve -d -r /var/svn --listen-host=minerva.bohemia.net --listen-port=3690

or (notice the -r option):

# chroot -g _svn -u _svn /var/svn svnserve -d -r / --listen-host=minerva.bohemia.net --listen-port=3690

I could start experimenting but I don't want to hose my repository and a backup/restore procedure hasn't been developed yet.

Is it simple or should I prepare for some experimentation?
Reply With Quote
  #9   (View Single Post)  
Old 25th April 2016
TronDD TronDD is offline
Shell Scout
 
Join Date: Sep 2014
Posts: 113
Default

I haven't chrooted svnserve but I have done it with Java. You'll probably have to experiment to figure out the details of svnserve's needs.

Run ldd on the executable and see what shared libraries it built against. You then have to copy them all (including _p.a and .a files) into the chroot directory in the same layout as the real system. Since you're using a hostname, you might need etc/resolv.conf, also.

You'll have to hack at it from there.

Tim.
Reply With Quote
Old 25th April 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,370
Default

You may also discover you need more than dynamic libraries and their infrastructure files. If the application forks new processes, you will also need whatever filesystem components these child processes require. And if any process opens device special files, you will need to ensure the filesystem is not mounted with the nodev option.

Time to initiate a backup strategy, and test it, before you do anything else.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD Configure OpenBSD Sendmail with SASL J65nko News 3 18th March 2013 01:53 AM
Minimal Apache configuration file for subversion Carpetsmoker Guides 0 18th May 2010 06:42 PM
Subversion and system files tanked FreeBSD Ports and Packages 4 23rd September 2008 06:44 PM
FreeBSD making the move from CVS to Subversion drhowarddrfine FreeBSD Installation and Upgrading 9 8th June 2008 05:29 PM
Working Configuration for Openbsd 4.0 - Postfix - SASL - TLS roundkat Guides 0 4th May 2008 05:38 PM


All times are GMT. The time now is 10:09 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2016, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick