The perfect subversion setup with linux authentication and svn+ssh

by Stephen Fluin 2009.02.21

Ever since I switched my source control repositories to subversion, I have been looking for the perfect setup where I could have multiple repositories with different sets of authors. I wanted single authors to be able to have access to multiple repositories, and I wanted to use standard PAM linux authentication because I already have a user setup for each of my authors. Based on these requirements, I believe I have achieved the perfect setup.
  1. The way to start this is to have a server running subversion with one or more repositories. I use Ubuntu so these paths may differ a little from the ones you would use.
  2. Edit the umask used by svnserve. svnserve is the program used for connecting to subversion over the protocol svn+ssh, as well as when accessing a repository directly using svn. We want to edit the umask so that whenever a file is modified or created, the permissions on that file allow other users of the group to continue editing it. There are probably a few ways you can do this, but I will focus on what I consider the simplest.

    In my installation, svnserve is located at /usr/bin/svnserve. This works perfectly because to change the umask we are going to add a small bash script and call it /usr/local/bin/svnserve. This allows us keep the original svnserve untouched, while instructing the system to use the new binary.

    umask 007
    exec /usr/bin/svnserve "$@"

    This file acts as a wrapper to set the umask to 007, which means all new files are fully read, write, and executable by owners and groups, and that everyone else has no access to the file. You could also set the umask to 002 if you want other users on your system outside of the group to be able to view your source code

  3. Setup the users and groups you want to use with your repositories. Make one group for each class of access you would like to provide. I usually create groups like svn-personal, svn-internal, or svn-. Make sure that each user belongs to the projects you want them to have access to.

  4. Change the permissions on each repository. For each repository, run:

    sudo chown -R :groupname /path/to/repo
    sudo chmod -R g+s /path/to/repo
    sudo chmod -R 770 /path/to/repo

Now you should be ready to go, each of your users will be able to access the repositories based on his or her group membership, and you shouldn't encounter any permission errors. Good luck and let me know if this has helped you or if you have other suggestions!