Subversion Repository Administration: Tips & Tricks

As of May 2007, the installed version of Subversion on svn.berkeley.edu is 1.4.3. Documentation for this version is available as a single HTML page as well as in other formats.

It is anticipated that a very few users (those who are most familiar with administrative aspects of svn), will create new repositories (documented in this HowTo). Repository administrators will govern write access to projects, and be responsible for creating new projects in their repositories.

The Subversion repositories maintained by IST use the filesystem (rather than a Berkeley DB database) to store versioned data. The standard command-line command to create repositories looks something like the following:

        svnadmin create --fs-type fsfs /path/to/repository
      

Creating the Repository in the Subversion Manual provides additional information.

Once the repository is created, additional steps are followed to standardize the new repo. These steps are scripted, and are most completely documented here by reference to the template shell script used to perform these steps. What follows below is commentary; but the shell script itself is the most complete and reliable documentation.

Once the repository is created, groups and permissions must be set in order to allow functionality and govern access at the Unix group & permissions level. [Note: governing commit/write privileges is covered in a separate document, Subversion Repositories: Governing Commit Permissons.]

The following succinctly illustrates group and file permisions for a repository on svn.berkeley.edu. This is the layout/model used in standard repositories, in which the commit permissions are governed by a versioned configuration file (note the link in the hooks/ directory). Notes and further explanations follow the console output:

        $ pwd
        /svn/svn-ist/berkeley/projects/cfgtest
        
        $ ls -lgd
        drwxrwsr-x   8 repoadm      512 Mar 21 16:12 .
        
        $ ls -lg
        total 16
        -rw-rw----   1 repoadm      379 Mar 21 16:12 README.txt
        drwxr-s---   4 asag         512 Mar 21 16:12 SVN
        drwxr-s---   2 asag         512 Mar 21 16:12 conf
        drwxrws---   2 repoadm      512 Mar 21 16:12 dav
        drwxrws---   5 asag         512 Mar 21 17:01 db
        -r--r-----   1 asag           2 Mar 21 16:12 format
        drwxr-s---   2 asag         512 Mar 21 16:12 hooks
        drwxrws---   2 asag         512 Mar 21 16:12 locks
        
        $ ls -lg conf/
        total 4
        -rw-r-----   1 repoadm      684 Mar 21 16:12 authz
        -rw-r-----   1 repoadm      309 Mar 21 16:12 passwd
        -rw-rw-r--   1 repoadm     1361 Mar 21 16:12 svnserve.conf
        
        $ ls -lg hooks/
        total 56
        lrwxrwxrwx   1 asag          51 Mar 21 16:12 commit-access-control.cfg
          -> ../SVN/commit-permissions/commit-access-control.cfg
        -rwxr-xr-x   1 repoadm    11545 Mar 21 16:12 commit-access-control.pl
        -rwxr-xr-x   1 repoadm      571 Mar 21 16:12 post-commit
        -rw-rw----   1 repoadm     1411 Mar 21 16:12 post-commit.tmpl
        -rw-rw----   1 repoadm     1411 Mar 21 16:12 post-lock.tmpl
        -rw-rw----   1 repoadm     1475 Mar 21 16:12 post-revprop-change.tmpl
        -rwxr-xr-x   1 repoadm     2399 Mar 21 16:12 pre-commit
        -rw-rw----   1 repoadm     2336 Mar 21 16:12 pre-commit.tmpl
        -rw-rw----   1 repoadm     2336 Mar 21 16:12 pre-lock.tmpl
        -rw-rw----   1 repoadm     1952 Mar 21 16:12 pre-revprop-change.tmpl
        -rw-rw----   1 repoadm     2336 Mar 21 16:12 pre-unlock.tmpl
        -rw-rw----   1 repoadm     1533 Mar 21 16:12 start-commit.tmpl
        
        $ ls -lag SVN/
        total 8
        drwxr-s---   4 asag         512 Mar 21 16:12 .
        drwxrwsr-x   8 repoadm      512 Mar 21 16:12 ..
        drwxrws---   7 asag         512 Mar 21 16:12 .svn
        drwxrws---   3 asag         512 Mar 21 16:58 commit-permissions

        $ ls -lag SVN/commit-permissions/
        total 8
        drwxrws---   3 asag         512 Mar 21 16:58 .
        drwxr-s---   4 asag         512 Mar 21 16:12 ..
        drwxrws---   7 asag         512 Mar 21 16:58 .svn
        -rw-rw----   1 asag         517 Mar 21 16:58 commit-access-control.cfg
      

Unix Groups Legend:

repoadm

Subversion and CVS application administrators on svn.berkeley.edu. In general, logins in this group are used to set up new repositories in ist-administered directory trees on this server (and, thus, are the ones most interested in the material covered in this document)

asag

Users of the repository; in this case, users of a repository that belongs to the IST-AS Architecture Group (IST-ASAG)

svnusers

All users of IST's Subversion repositories on svn.berkeley.edu are members of this group

Notes on file permissions:

• The top level of the repository tree (/svn/ist-svn) allows the svnusers group r-s permission, and denies permission to others; this restricts the entire repository tree from host users who are not in the svnusers group.
• The directory tree is in the repoadm group, so that only members of this group can create new repositories; others have r-x permission on parent directories to repositories, to allow access through the directory tree to any member of svnusers.
• Within individual repositories, groups and permissions are restricted to the narrowest within which the repository can be properly used and administered.
• The file commit-access-control.cfg governs write (commit) access on different parts of the repository. This file may be modified by administrators of the repository in which it resides. Cf. Subversion Repositories: Governing Commit Permissons for detailed information.
• Note read and execute permissions granted to Others in the hooks/ directory.

To make a repository and effect permissions described above with a shell script, modify this script template appropriately for the desired repository location, your template file location, and your desired repository user group.

Unix groups and permissions are used to secure access-controlled repositories from inappropriate read or write access. The following goals are realized:

1. Repositories should not be created except by members of repoadm.
2. Only users who are members of svnusers should be granted read-access to any location in the repository tree.

The second goal is achieved by restricting the root of the repository tree to group read and execute access by members of svnusers; no permissions are granted to other users. All users of any repository in the tree are (must be) members of svnusers.

The first goal is achieved by setting the group on directories in the tree, including the root directory of each repository, to repoadm, and granting only r-x permission to others.

The following shows the directory permission and group employed in the IST-AS branch of the directory tree:

        drwxr-s---   vcadmin   svnusers     /svn/svn-ist
        drwxrwsr-x   [userid]  repoadm      /svn/svn-ist/berkeley
        drwxrwsr-x   [userid]  repoadm      /svn/svn-ist/berkeley/projects
        drwxrwsr-x   [userid]  repoadm      /svn/svn-ist/berkeley/projects/ist
        drwxrwsr-x   [userid]  repoadm      /svn/svn-ist/berkeley/projects/ist/as
      

Permissions and groups in a repository created within the directory tree are described in the Creating a new repository section, above.

The root of the Subversion Repository Service repositories on the host (svn.berkley.edu) filesystem is the directory /svn/ist-svn/. However, directories that contain repositories directly under this root (e.g., /svn/ist-svn/berkeley/) are symbolically linked from under the /svn/ directory:

        $ pwd
        /svn
        $ ls -l berkeley
        lrwxrwxrwx   1 root     root          16 May  3 13:50 berkeley -> ist-svn/berkeley
      

This allows Subversion users to construct access repositories via URLs without ist-svn ... "branding" of the repositories corresponds to the campus, not to the campus organization that happens to provide the repository service.