By : Scott Muc - July 18th, 2005
After installing Subversion on a FreeBSD machine from the ports, I noticed that a boot script was never installed in /usr/local/etc/rc.d. I have a script that I can use to put in there, but I don't want, nor need, to run svnserve as Root. Using Dan Bernsteins Daemon Tools and a text editor you can easily get svnserve to run on boot as an underprivledged user.
Assuming you know how to install software from the ports, you should have Subversion and Daemon Tools installed.
Next step is to create your Subversion repository path and user.
# mkdir /usr/local/svn
# mkdir /usr/local/repos
# pw useradd svn -d /usr/local/svn
Daemon Tools will run a file called run. Therefore we must create this run file and put it in the /usr/local/svn directory.
#!/bin/sh exec setuidgid svn /usr/local/bin/svnserve -d --foreground \ -r /usr/local/svn/repos --listen-host your.hostname.com
Create a repository under the /usr/local/svn/repos directory and modify the config files the way you desire. To make sure svnserve can manipulate the files amke sure the svn user owns the directory tree.
# chown svn:svn /usr/local/svn
To add the service to Daemon Tools we symlink the directory to the /var/service directory.
# cd /var/service
# ln -s /usr/local/svn .
We have now lowered the risk of attack on this machine by running svnserve as the svn user. In the case of unknown buffer overflow or other remote exploits we can at least be sure that our box will not be taken over. Our repositories might get destroyed, you make sure you have backups, right?
For more security, you can configure Subversion to communicate over HTTPS with and mod_web_dav_svn or with svn+ssh.
Scott Muc is a computer geek with too much time on his hands.