Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 1 Nov 2005 08:16:54 -0500
From:      "Cerion Armour-Brown" <cerion@terpsichore.ws>
To:        Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: running subversion as non-root
Message-ID:  <20051101131654.M27340@terpsichore.ws>
In-Reply-To: <20051101125617.GA2318@flame.pc>
References:  <20051101105745.M78709@terpsichore.ws> <20051101124144.GA1568@flame.pc> <20051101125015.M15158@terpsichore.ws> <20051101125617.GA2318@flame.pc>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Nov 2005 14:56:17 +0200, Giorgos Keramidas wrote
> On 2005-11-01 07:50, Cerion Armour-Brown <cerion@terpsichore.ws> wrote:
> >On Tue, 1 Nov 2005 14:41:45 +0200, Giorgos Keramidas wrote
> >>On 2005-11-01 05:57, Cerion Armour-Brown <cerion@terpsichore.ws> wrote:
> >>> Running subversion as root works fine, but under user 'svn' I get a load of
> >>> permission problems, e.g.
> >>> /usr/libexec/ld-elf.so.1: Cannot open
"/usr/local/lib/apache2/libaprutil-0.so.9"
> >>>
> >>> I fixed this by adding svn to group wheel, but am not sure if this is 'the
> >>> right way'.   Is there a standard solution to this?
> >> 
> >> What are the permissions of all the path components up to and
> >> including the library that fails to load?
> >> 
> >> Something like this could print all the path components and their
> >> permissions:
> >> 
> >>     ls -ld $(
> >>         libpath='/usr/local/lib/apache2/libaprutil-0.so.9'
> >>         while [ -n "${libpath}" ] && [ ! "${libpath_prev}" = "${libpath}"
]; do
> >>             echo "${libpath}"
> >>             libpath_prev="${libpath}"
> >>             libpath=$(dirname "${libpath}")
> >>         done )
> > 
> > drwxr-xr-x  15 root  wheel    512 Jun  3 10:05 //
> > drwxr-xr-x  16 root  wheel    512 Oct 31 15:05 /usr/
> > drwxr-xr-x  17 root  wheel    512 Oct 31 15:45 /usr/local/
> > drwxr-xr-x  14 root  wheel   4608 Nov  1 10:09 /usr/local/lib/
> > drwxr-xr-x   2 root  wheel    512 Oct 31 13:43 /usr/local/lib/apache2/
> > -rwxr-x---   1 root  wheel  89832 Oct 31 13:43
/usr/local/lib/apache2/libaprutil-0.so.9*
> > lrwxr-x---  1 root  wheel      17 Oct 31 13:43
/usr/local/lib/apache2/libaprutil-0.so@ -> libaprutil-0.so.9
> > 
> > this look like yours?
> 
> I'm not sure if this was done for security reasons, but IMHO you
> have two options:
> 
>     (1) Add the 'svn' user to the wheel group.  This is not a
>         good idea, as being a part of the wheel group gives
>         permissions that subversion doesn't really need.
> 
>     (2) Change the permissions of libaprutil*.so* files to 0755,
>         which would allow subversion to access the shared
>         libraries without being in the wheel group.
> 
> I'd go for option (2) if I were you.
> 
> - Giorgos

My instinct was the same, and I tried this, but there are more libs with the
same permissions problems...
/usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/libdb-4.2.so.2"
and if i fix that one...
/usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/apache2/libapr-0.so.9"

This really doesn't seem the right way of doing things... is there no 3rd way?
Cerion



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051101131654.M27340>