Date: Tue, 1 Nov 2005 08:16:54 -0500 From: "Cerion Armour-Brown" <cerion@terpsichore.ws> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: running subversion as non-root Message-ID: <20051101131654.M27340@terpsichore.ws> In-Reply-To: <20051101125617.GA2318@flame.pc> References: <20051101105745.M78709@terpsichore.ws> <20051101124144.GA1568@flame.pc> <20051101125015.M15158@terpsichore.ws> <20051101125617.GA2318@flame.pc>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 1 Nov 2005 14:56:17 +0200, Giorgos Keramidas wrote > On 2005-11-01 07:50, Cerion Armour-Brown <cerion@terpsichore.ws> wrote: > >On Tue, 1 Nov 2005 14:41:45 +0200, Giorgos Keramidas wrote > >>On 2005-11-01 05:57, Cerion Armour-Brown <cerion@terpsichore.ws> wrote: > >>> Running subversion as root works fine, but under user 'svn' I get a load of > >>> permission problems, e.g. > >>> /usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/apache2/libaprutil-0.so.9" > >>> > >>> I fixed this by adding svn to group wheel, but am not sure if this is 'the > >>> right way'. Is there a standard solution to this? > >> > >> What are the permissions of all the path components up to and > >> including the library that fails to load? > >> > >> Something like this could print all the path components and their > >> permissions: > >> > >> ls -ld $( > >> libpath='/usr/local/lib/apache2/libaprutil-0.so.9' > >> while [ -n "${libpath}" ] && [ ! "${libpath_prev}" = "${libpath}" ]; do > >> echo "${libpath}" > >> libpath_prev="${libpath}" > >> libpath=$(dirname "${libpath}") > >> done ) > > > > drwxr-xr-x 15 root wheel 512 Jun 3 10:05 // > > drwxr-xr-x 16 root wheel 512 Oct 31 15:05 /usr/ > > drwxr-xr-x 17 root wheel 512 Oct 31 15:45 /usr/local/ > > drwxr-xr-x 14 root wheel 4608 Nov 1 10:09 /usr/local/lib/ > > drwxr-xr-x 2 root wheel 512 Oct 31 13:43 /usr/local/lib/apache2/ > > -rwxr-x--- 1 root wheel 89832 Oct 31 13:43 /usr/local/lib/apache2/libaprutil-0.so.9* > > lrwxr-x--- 1 root wheel 17 Oct 31 13:43 /usr/local/lib/apache2/libaprutil-0.so@ -> libaprutil-0.so.9 > > > > this look like yours? > > I'm not sure if this was done for security reasons, but IMHO you > have two options: > > (1) Add the 'svn' user to the wheel group. This is not a > good idea, as being a part of the wheel group gives > permissions that subversion doesn't really need. > > (2) Change the permissions of libaprutil*.so* files to 0755, > which would allow subversion to access the shared > libraries without being in the wheel group. > > I'd go for option (2) if I were you. > > - Giorgos My instinct was the same, and I tried this, but there are more libs with the same permissions problems... /usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/libdb-4.2.so.2" and if i fix that one... /usr/libexec/ld-elf.so.1: Cannot open "/usr/local/lib/apache2/libapr-0.so.9" This really doesn't seem the right way of doing things... is there no 3rd way? Cerion
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051101131654.M27340>