避免让 subversion 修改 Linux 文件权限。
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5953169/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Avoid having subversion modify Linux file permissions.
提问by Scott
All of my code base is being stored in a subversion repository that I disperse amongst my load balanced Apache web servers, making it easy to check out code, run updates, and seamlessly get my code in development onto production.
我的所有代码库都存储在一个 subversion 存储库中,我将其分散在负载均衡的 Apache Web 服务器中,从而可以轻松地检查代码、运行更新以及将开发中的代码无缝地投入生产。
One of the inconveniences that I'm sure there is a easy work around for (other than executing a script upon every checkout), is getting the Linux permissions set (back) on files that are updated or checked out with subversion. Our security team has it set that the Ownerand Groupset in the httpd.conffiles, and all directories within the documentRootreceive permissions of 700, all non-executable files (e.g. *.php, *.smarty, *.png) receive Linux permissions of 600, all executable files receive 700 (e.g. *.sh, *.pl, *.py). All files must have owner and group set to apache:apachein order to be read by the httpd service since only the file owner is set to have access via the permissions.
我确信有一个简单的解决方法(除了在每次签出时执行脚本)的不便之一是在使用 subversion 更新或签出的文件上设置(返回)Linux 权限。我们的安全团队已经在httpd.conf文件中设置了Owner和Group设置,并且所有目录在700的接收权限内,所有不可执行的文件(例如*.php、*.smarty、*.png)接收Linux权限为600,所有可执行文件都收到 700(例如 *.sh、*.pl、*.py)。所有文件都必须将所有者和组设置为才能被 httpd 服务读取,因为只有文件所有者才能通过权限进行访问。documentRootapache:apache
Every time I run an svn update, or svn co, even though the files may not be created (i.e. svn update), I'm finding that the ownership of the files is getting set to the account that is running the svn commands, and often times, the file permissions are getting set to something other than what they were originally (i.e. a .htm file before an update is 600, but after and svn update, it gets set to 755, or even 777).
每次运行svn update, or 时svn co,即使可能未创建文件(即svn update),我发现文件的所有权已设置为运行 svn 命令的帐户,并且通常是文件权限被设置为不同于它们原来的值(即更新前的 .htm 文件是 600,但在 和 之后svn update,它被设置为 755,甚至 777)。
What is the easiest way to bypass subversion's attempts at updating the file permissions and ownership? Is there something that can be done within the svn client, or on the Linux server to retain the original file permissions? I'm running RHEL5 (and now 6 on a few select instances).
绕过 Subversion 尝试更新文件权限和所有权的最简单方法是什么?有什么可以在svn客户端或Linux服务器上做的事情来保留原始文件权限吗?我正在运行 RHEL5(现在在一些选定的实例上运行 6 个)。
采纳答案by Petesh
the owner of the files will be set to the user that is running the svn command because of how it implements the underlying up command - it removes and replaces files that are updated, which will cause the ownership to 'change' to the relevant user. The only way to prevent this is to actually perform the svn up as the user that the files are supposed to be owned as. If you want to ensure that they're owned by a particular user, then run the command as that user.
文件的所有者将被设置为运行 svn 命令的用户,因为它如何实现底层 up 命令 - 它删除并替换更新的文件,这将导致所有权“更改”到相关用户。防止这种情况的唯一方法是以文件应该拥有的用户身份实际执行 svn up。如果要确保它们归特定用户所有,请以该用户身份运行该命令。
With regards to the permissions, svn is only obeying the umask settings of the account - it's probably something like 066 - in order to ensure that the file is inaccessible to group and other accounts, you need to issue 'umask 077' before performing the svn up, this ensures that the files are only accessible to the user account issuing the command.
关于权限,svn 只遵守账户的 umask 设置——它可能类似于 066——为了确保组和其他账户无法访问该文件,您需要在执行 svn 之前发出“umask 077”向上,这确保文件只能由发出命令的用户帐户访问。
I'd pay attention to the security issue of deploying the subversion data into the web server unless the .svn directories are secured.
除非 .svn 目录受到保护,否则我会注意将 subversion 数据部署到 Web 服务器的安全问题。
回答by thomson_matt
You can store properties on a file in Subversion (see http://svnbook.red-bean.com/en/1.0/ch07s02.html). You're particularly interested in the svn:executable property, which will make sure that the executable permission is stored.
您可以在 Subversion 中的文件中存储属性(请参阅http://svnbook.red-bean.com/en/1.0/ch07s02.html)。您对 svn:executable 属性特别感兴趣,它将确保存储可执行权限。
There's no general way to do this for all permissions, though. Subversion doesn't store ownership either - it assumes that, if you check something out, you own it.
但是,没有通用的方法可以对所有权限执行此操作。Subversion 也不存储所有权 - 它假设,如果您检查某些东西,您就拥有它。
回答by ACK_stoverflow
One thing you may consider doing is installing the svnbinary outside your path, and putting a replacement script (at and called /usr/bin/svn, or whatever) in the path. The script would look something like this:
您可能会考虑做的一件事是svn在您的路径之外安装二进制文件,并在路径中放置一个替换脚本(at 和 called /usr/bin/svn,或其他)。脚本看起来像这样:
#!/bin/sh
# set umask, whatever else you need to do before svn commands
/opt/svn/svn $* # pass all arguments to the actual svn binary, stored outside the PATH
# run chmod, whatever else you need to do after svn commands
A definite downside is that you'll probably have to do some amount of parsing of the arguments passed to svn, i.e. so you can pass the same path to your chmod, not run chmod for most svn commands, etc.
一个明显的缺点是您可能必须对传递给 svn 的参数进行一些解析,即,您可以将相同的路径传递给您的 chmod,而不是为大多数 svn 命令运行 chmod,等等。
There are also probably some security considerations here. I don't know what your deployment environment is like, but you should probably investigate that a bit further.
这里可能还有一些安全方面的考虑。我不知道您的部署环境是什么样的,但您可能应该进一步调查一下。
回答by Gerben Versluis
I wrote a small script that stores permissions and owner, executes your SVN command and restores permissions and owner. It is probably is not hackerproof but for private use it does the job.
我写了一个小脚本来存储权限和所有者,执行您的 SVN 命令并恢复权限和所有者。它可能不是防黑客的,但对于私人使用,它可以完成这项工作。
svnupdate.sh:
svnupdate.sh:
#!/usr/bin/env bash
if [ $# -eq 0 ]; then
echo "Syntax: Description:
Archive SVN (asvn) will allow the recording of file types not
normally handled by svn. Currently this includes devices,
symlinks and file ownership/permissions.
Every file and directory has a 'file:permissions' property set and
every directory has a 'dir:devices' and 'dir:symlinks' for
recording the extra information.
Run this script instead of svn with the normal svn arguments.
<filename>"
exit
fi
IGNORENEXT=0
COMMANDS=''
FILES='';
for FILENAME in "$@"
do
if [[ $IGNORENEXT > 0 ]]; then
IGNORENEXT=0
else
case $FILENAME in
# global, shift argument if needed
--username|--password|--config-dir|--config-option)
IGNORENEXT=1
;;
--no-auth-cache|--non-interactive|--trust-server-cert)
;;
# update arguments, shift argument if needed
-r|--revision|--depth|--set-depth|--diff3-cmd|--changelist|--editor-cmd|--accept)
IGNORENEXT=1
;;
-N|--non-recursive|-q|--quiet|--force|--ignore-externals)
;;
*)
if [ -f $FILENAME ]; then
FILES="$FILES $FILENAME"
OLDPERM=$(stat -c%a $FILENAME)
OLDOWNER=$(stat -c%U $FILENAME)
OLDGROUP=$(stat -c%G $FILENAME)
FILECOMMANDS="chmod $OLDPERM $FILENAME; chown $OLDOWNER.$OLDGROUP $FILENAME;"
COMMANDS="$COMMANDS $FILECOMMANDS"
echo "COMMANDS: $FILECOMMANDS"
else
echo "File not found: $FILENAME"
fi
;;
esac
fi
done
OUTPUT=$(svn update "$@")
echo "$OUTPUT"
if [[ ( $? -eq 0 ) && ( $OUTPUT != Skipped* ) && ( $OUTPUT != "At revision"* ) ]]; then
bash -c "$COMMANDS"
ls -l $FILES
fi
回答by Ilya Bystrov
I also had a similar problem. I found a cool script: asvn (Archive SVN).
我也有类似的问题。我找到了一个很酷的脚本:asvn (Archive SVN)。
You can download it here: https://svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/asvn
你可以在这里下载:https: //svn.apache.org/repos/asf/subversion/trunk/contrib/client-side/asvn
Description: Archive SVN (asvn) will allow the recording of file types not normally handled by svn. Currently this includes devices, symlinks and file ownership/permissions. Every file and directory has a 'file:permissions' property set and every directory has a 'dir:devices' and 'dir:symlinks' for recording the extra information. Run this script instead of svn with the normal svn arguments.
##代码##
This blog entry (which helps me to find script) http://jon.netdork.net/2010/06/28/configuration-management-part-ii-setting-up-svn/shows a simple usage.
这个博客条目(帮助我找到脚本)http://jon.netdork.net/2010/06/28/configuration-management-part-ii-setting-up-svn/展示了一个简单的用法。
回答by Bell
You can solve this. Use setgid.
你可以解决这个问题。使用setgid.
You have
apache:apacherunning the serverSet group permission on all files and directories. The server will read files by it's group
Set
setgidon all directories - only on directories: setting this on files has a different functionExample ('2' is setgid):
chmod 2750
Make
apachethe group of all directories
你已经
apache:apache运行了服务器设置对所有文件和目录的组权限。服务器将按其组读取文件
设置
setgid对所有目录-只有在目录:在文件上设置这有不同的功能示例('2' 是 setgid):
chmod 2750
使
apache所有目录的组
What happens is
发生的事情是
New files and directories created by any accountwill be owned by the
apachegroupNew directories will inherit the
setgidand thus preserve the structure without any effort
任何帐户创建的新文件和目录都将归该
apache组所有新目录将继承
setgid并因此毫不费力地保留结构
See https://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories
请参阅https://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories
