From 6273ebb0c30ef5cf65603bf27ef62365d4226e50 Mon Sep 17 00:00:00 2001 From: marcobrucale Date: Thu, 29 Oct 2009 14:41:17 +0000 Subject: [PATCH] --- README.txt | 5 ++ conf/authz | 32 +++++++++++++ conf/passwd | 8 ++++ conf/svnserve.conf | 47 +++++++++++++++++++ db/current | 1 + db/format | 2 + db/fs-type | 1 + db/fsfs.conf | 37 +++++++++++++++ db/min-unpacked-rev | 1 + db/rep-cache.db | Bin 0 -> 4096 bytes db/revprops/0/0 | 5 ++ db/revs/0/0 | 11 +++++ db/txn-current | 1 + db/txn-current-lock | 0 db/uuid | 1 + db/write-lock | 0 format | 1 + hooks/post-commit.tmpl | 50 ++++++++++++++++++++ hooks/post-lock.tmpl | 44 ++++++++++++++++++ hooks/post-revprop-change.tmpl | 56 +++++++++++++++++++++++ hooks/post-unlock.tmpl | 42 +++++++++++++++++ hooks/pre-commit.tmpl | 81 +++++++++++++++++++++++++++++++++ hooks/pre-lock.tmpl | 71 +++++++++++++++++++++++++++++ hooks/pre-revprop-change.tmpl | 66 +++++++++++++++++++++++++++ hooks/pre-unlock.tmpl | 63 +++++++++++++++++++++++++ hooks/start-commit.tmpl | 65 ++++++++++++++++++++++++++ locks/db-logs.lock | 3 ++ locks/db.lock | 3 ++ 28 files changed, 697 insertions(+) create mode 100644 README.txt create mode 100644 conf/authz create mode 100644 conf/passwd create mode 100644 conf/svnserve.conf create mode 100644 db/current create mode 100644 db/format create mode 100644 db/fs-type create mode 100644 db/fsfs.conf create mode 100644 db/min-unpacked-rev create mode 100644 db/rep-cache.db create mode 100644 db/revprops/0/0 create mode 100644 db/revs/0/0 create mode 100644 db/txn-current create mode 100644 db/txn-current-lock create mode 100644 db/uuid create mode 100644 db/write-lock create mode 100644 format create mode 100644 hooks/post-commit.tmpl create mode 100644 hooks/post-lock.tmpl create mode 100644 hooks/post-revprop-change.tmpl create mode 100644 hooks/post-unlock.tmpl create mode 100644 hooks/pre-commit.tmpl create mode 100644 hooks/pre-lock.tmpl create mode 100644 hooks/pre-revprop-change.tmpl create mode 100644 hooks/pre-unlock.tmpl create mode 100644 hooks/start-commit.tmpl create mode 100644 locks/db-logs.lock create mode 100644 locks/db.lock diff --git a/README.txt b/README.txt new file mode 100644 index 0000000..c93ca33 --- /dev/null +++ b/README.txt @@ -0,0 +1,5 @@ +This is a Subversion repository; use the 'svnadmin' tool to examine +it. Do not add, delete, or modify files here unless you know how +to avoid corrupting the repository. + +Visit http://subversion.tigris.org/ for more information. diff --git a/conf/authz b/conf/authz new file mode 100644 index 0000000..90d8838 --- /dev/null +++ b/conf/authz @@ -0,0 +1,32 @@ +### This file is an example authorization file for svnserve. +### Its format is identical to that of mod_authz_svn authorization +### files. +### As shown below each section defines authorizations for the path and +### (optional) repository specified by the section name. +### The authorizations follow. An authorization line can refer to: +### - a single user, +### - a group of users defined in a special [groups] section, +### - an alias defined in a special [aliases] section, +### - all authenticated users, using the '$authenticated' token, +### - only anonymous users, using the '$anonymous' token, +### - anyone, using the '*' wildcard. +### +### A match can be inverted by prefixing the rule with '~'. Rules can +### grant read ('r') access, read-write ('rw') access, or no access +### (''). + +[aliases] +# joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average + +[groups] +# harry_and_sally = harry,sally +# harry_sally_and_joe = harry,sally,&joe + +# [/foo/bar] +# harry = rw +# &joe = r +# * = + +# [repository:/baz/fuz] +# @harry_and_sally = rw +# * = r diff --git a/conf/passwd b/conf/passwd new file mode 100644 index 0000000..d22bafc --- /dev/null +++ b/conf/passwd @@ -0,0 +1,8 @@ +### This file is an example password file for svnserve. +### Its format is similar to that of svnserve.conf. As shown in the +### example below it contains one section labelled [users]. +### The name and password for each user follow, one account per line. + +[users] +# harry = harryssecret +# sally = sallyssecret diff --git a/conf/svnserve.conf b/conf/svnserve.conf new file mode 100644 index 0000000..97c199e --- /dev/null +++ b/conf/svnserve.conf @@ -0,0 +1,47 @@ +### This file controls the configuration of the svnserve daemon, if you +### use it to allow access to this repository. (If you only allow +### access through http: and/or file: URLs, then this file is +### irrelevant.) + +### Visit http://subversion.tigris.org/ for more information. + +[general] +### These options control access to the repository for unauthenticated +### and authenticated users. Valid values are "write", "read", +### and "none". The sample settings below are the defaults. +# anon-access = read +# auth-access = write +### The password-db option controls the location of the password +### database file. Unless you specify a path starting with a /, +### the file's location is relative to the directory containing +### this configuration file. +### If SASL is enabled (see below), this file will NOT be used. +### Uncomment the line below to use the default password file. +# password-db = passwd +### The authz-db option controls the location of the authorization +### rules for path-based access control. Unless you specify a path +### starting with a /, the file's location is relative to the the +### directory containing this file. If you don't specify an +### authz-db, no path-based access control is done. +### Uncomment the line below to use the default authorization file. +# authz-db = authz +### This option specifies the authentication realm of the repository. +### If two repositories have the same authentication realm, they should +### have the same password database, and vice versa. The default realm +### is repository's uuid. +# realm = My First Repository + +[sasl] +### This option specifies whether you want to use the Cyrus SASL +### library for authentication. Default is false. +### This section will be ignored if svnserve is not built with Cyrus +### SASL support; to check, run 'svnserve --version' and look for a line +### reading 'Cyrus SASL authentication is available.' +# use-sasl = true +### These options specify the desired strength of the security layer +### that you want SASL to provide. 0 means no encryption, 1 means +### integrity-checking only, values larger than 1 are correlated +### to the effective key length for encryption (e.g. 128 means 128-bit +### encryption). The values below are the defaults. +# min-encryption = 0 +# max-encryption = 256 diff --git a/db/current b/db/current new file mode 100644 index 0000000..573541a --- /dev/null +++ b/db/current @@ -0,0 +1 @@ +0 diff --git a/db/format b/db/format new file mode 100644 index 0000000..db06890 --- /dev/null +++ b/db/format @@ -0,0 +1,2 @@ +4 +layout sharded 1000 diff --git a/db/fs-type b/db/fs-type new file mode 100644 index 0000000..4fdd953 --- /dev/null +++ b/db/fs-type @@ -0,0 +1 @@ +fsfs diff --git a/db/fsfs.conf b/db/fsfs.conf new file mode 100644 index 0000000..c50d043 --- /dev/null +++ b/db/fsfs.conf @@ -0,0 +1,37 @@ +### This file controls the configuration of the FSFS filesystem. + +[memcached-servers] +### These options name memcached servers used to cache internal FSFS +### data. See http://www.danga.com/memcached/ for more information on +### memcached. To use memcached with FSFS, run one or more memcached +### servers, and specify each of them as an option like so: +# first-server = 127.0.0.1:11211 +# remote-memcached = mymemcached.corp.example.com:11212 +### The option name is ignored; the value is of the form HOST:PORT. +### memcached servers can be shared between multiple repositories; +### however, if you do this, you *must* ensure that repositories have +### distinct UUIDs and paths, or else cached data from one repository +### might be used by another accidentally. Note also that memcached has +### no authentication for reads or writes, so you must ensure that your +### memcached servers are only accessible by trusted users. + +[caches] +### When a cache-related error occurs, normally Subversion ignores it +### and continues, logging an error if the server is appropriately +### configured (and ignoring it with file:// access). To make +### Subversion never ignore cache errors, uncomment this line. +# fail-stop = true + +[rep-sharing] +### To conserve space, the filesystem can optionally avoid storing +### duplicate representations. This comes at a slight cost in performace, +### as maintaining a database of shared representations can increase +### commit times. The space savings are dependent upon the size of the +### repository, the number of objects it contains and the amount of +### duplication between them, usually a function of the branching and +### merging process. +### +### The following parameter enables rep-sharing in the repository. It can +### be switched on and off at will, but for best space-saving results +### should be enabled consistently over the life of the repository. +# enable-rep-sharing = false diff --git a/db/min-unpacked-rev b/db/min-unpacked-rev new file mode 100644 index 0000000..573541a --- /dev/null +++ b/db/min-unpacked-rev @@ -0,0 +1 @@ +0 diff --git a/db/rep-cache.db b/db/rep-cache.db new file mode 100644 index 0000000000000000000000000000000000000000..0fc45a366c181bab20ce6990670925c357512022 GIT binary patch literal 4096 zcmeH{y-ve05XbE#0)f=I6UvPsu~fVO1!e03bhk`*e*&L5iiq6;hh+;BM~}~ zs&jiMo#p!)?q~h|^e|BlA=hRp9o(>lan5c57-O;bZR0)&9xU;`9k#j?`iC7=~XS{%IP*19S$+-u0g{|E9hTU?|c9%5& /dev/null || exit 1 + +# Check that the author of this commit has the rights to perform +# the commit on the files and directories being modified. +commit-access-control.pl "$REPOS" "$TXN" commit-access-control.cfg || exit 1 + +# All checks passed, so allow the commit. +exit 0 diff --git a/hooks/pre-lock.tmpl b/hooks/pre-lock.tmpl new file mode 100644 index 0000000..2a4a039 --- /dev/null +++ b/hooks/pre-lock.tmpl @@ -0,0 +1,71 @@ +#!/bin/sh + +# PRE-LOCK HOOK +# +# The pre-lock hook is invoked before an exclusive lock is +# created. Subversion runs this hook by invoking a program +# (script, executable, binary, etc.) named 'pre-lock' (for which +# this file is a template), with the following ordered arguments: +# +# [1] REPOS-PATH (the path to this repository) +# [2] PATH (the path in the repository about to be locked) +# [3] USER (the user creating the lock) +# [4] COMMENT (the comment of the lock) +# [5] STEAL-LOCK (1 if the user is trying to steal the lock, else 0) +# +# If the hook program outputs anything on stdout, the output string will +# be used as the lock token for this lock operation. If you choose to use +# this feature, you must guarantee the tokens generated are unique across +# the repository each time. +# +# The default working directory for the invocation is undefined, so +# the program should set one explicitly if it cares. +# +# If the hook program exits with success, the lock is created; but +# if it exits with failure (non-zero), the lock action is aborted +# and STDERR is returned to the client. + +# On a Unix system, the normal procedure is to have 'pre-lock' +# invoke other programs to do the real work, though it may do the +# work itself too. +# +# Note that 'pre-lock' must be executable by the user(s) who will +# invoke it (typically the user httpd runs as), and that user must +# have filesystem-level permission to access the repository. +# +# On a Windows system, you should name the hook program +# 'pre-lock.bat' or 'pre-lock.exe', +# but the basic idea is the same. +# +# Here is an example hook script, for a Unix /bin/sh interpreter: + +REPOS="$1" +PATH="$2" +USER="$3" + +# If a lock exists and is owned by a different person, don't allow it +# to be stolen (e.g., with 'svn lock --force ...'). + +# (Maybe this script could send email to the lock owner?) +SVNLOOK=/usr/local/bin/svnlook +GREP=/bin/grep +SED=/bin/sed + +LOCK_OWNER=`$SVNLOOK lock "$REPOS" "$PATH" | \ + $GREP '^Owner: ' | $SED 's/Owner: //'` + +# If we get no result from svnlook, there's no lock, allow the lock to +# happen: +if [ "$LOCK_OWNER" = "" ]; then + exit 0 +fi + +# If the person locking matches the lock's owner, allow the lock to +# happen: +if [ "$LOCK_OWNER" = "$USER" ]; then + exit 0 +fi + +# Otherwise, we've got an owner mismatch, so return failure: +echo "Error: $PATH already locked by ${LOCK_OWNER}." 1>&2 +exit 1 diff --git a/hooks/pre-revprop-change.tmpl b/hooks/pre-revprop-change.tmpl new file mode 100644 index 0000000..9e284a9 --- /dev/null +++ b/hooks/pre-revprop-change.tmpl @@ -0,0 +1,66 @@ +#!/bin/sh + +# PRE-REVPROP-CHANGE HOOK +# +# The pre-revprop-change hook is invoked before a revision property +# is added, modified or deleted. Subversion runs this hook by invoking +# a program (script, executable, binary, etc.) named 'pre-revprop-change' +# (for which this file is a template), with the following ordered +# arguments: +# +# [1] REPOS-PATH (the path to this repository) +# [2] REVISION (the revision being tweaked) +# [3] USER (the username of the person tweaking the property) +# [4] PROPNAME (the property being set on the revision) +# [5] ACTION (the property is being 'A'dded, 'M'odified, or 'D'eleted) +# +# [STDIN] PROPVAL ** the new property value is passed via STDIN. +# +# If the hook program exits with success, the propchange happens; but +# if it exits with failure (non-zero), the propchange doesn't happen. +# The hook program can use the 'svnlook' utility to examine the +# existing value of the revision property. +# +# WARNING: unlike other hooks, this hook MUST exist for revision +# properties to be changed. If the hook does not exist, Subversion +# will behave as if the hook were present, but failed. The reason +# for this is that revision properties are UNVERSIONED, meaning that +# a successful propchange is destructive; the old value is gone +# forever. We recommend the hook back up the old value somewhere. +# +# On a Unix system, the normal procedure is to have 'pre-revprop-change' +# invoke other programs to do the real work, though it may do the +# work itself too. +# +# Note that 'pre-revprop-change' must be executable by the user(s) who will +# invoke it (typically the user httpd runs as), and that user must +# have filesystem-level permission to access the repository. +# +# On a Windows system, you should name the hook program +# 'pre-revprop-change.bat' or 'pre-revprop-change.exe', +# but the basic idea is the same. +# +# The hook program typically does not inherit the environment of +# its parent process. For example, a common problem is for the +# PATH environment variable to not be set to its usual value, so +# that subprograms fail to launch unless invoked via absolute path. +# If you're having unexpected problems with a hook program, the +# culprit may be unusual (or missing) environment variables. +# +# Here is an example hook script, for a Unix /bin/sh interpreter. +# For more examples and pre-written hooks, see those in +# the Subversion repository at +# http://svn.collab.net/repos/svn/trunk/tools/hook-scripts/ and +# http://svn.collab.net/repos/svn/trunk/contrib/hook-scripts/ + + +REPOS="$1" +REV="$2" +USER="$3" +PROPNAME="$4" +ACTION="$5" + +if [ "$ACTION" = "M" -a "$PROPNAME" = "svn:log" ]; then exit 0; fi + +echo "Changing revision properties other than svn:log is prohibited" >&2 +exit 1 diff --git a/hooks/pre-unlock.tmpl b/hooks/pre-unlock.tmpl new file mode 100644 index 0000000..6754801 --- /dev/null +++ b/hooks/pre-unlock.tmpl @@ -0,0 +1,63 @@ +#!/bin/sh + +# PRE-UNLOCK HOOK +# +# The pre-unlock hook is invoked before an exclusive lock is +# destroyed. Subversion runs this hook by invoking a program +# (script, executable, binary, etc.) named 'pre-unlock' (for which +# this file is a template), with the following ordered arguments: +# +# [1] REPOS-PATH (the path to this repository) +# [2] PATH (the path in the repository about to be unlocked) +# [3] USER (the user destroying the lock) +# [4] TOKEN (the lock token to be destroyed) +# [5] BREAK-UNLOCK (1 if the user is breaking the lock, else 0) +# +# The default working directory for the invocation is undefined, so +# the program should set one explicitly if it cares. +# +# If the hook program exits with success, the lock is destroyed; but +# if it exits with failure (non-zero), the unlock action is aborted +# and STDERR is returned to the client. + +# On a Unix system, the normal procedure is to have 'pre-unlock' +# invoke other programs to do the real work, though it may do the +# work itself too. +# +# Note that 'pre-unlock' must be executable by the user(s) who will +# invoke it (typically the user httpd runs as), and that user must +# have filesystem-level permission to access the repository. +# +# On a Windows system, you should name the hook program +# 'pre-unlock.bat' or 'pre-unlock.exe', +# but the basic idea is the same. +# +# Here is an example hook script, for a Unix /bin/sh interpreter: + +REPOS="$1" +PATH="$2" +USER="$3" + +# If a lock is owned by a different person, don't allow it be broken. +# (Maybe this script could send email to the lock owner?) + +SVNLOOK=/usr/local/bin/svnlook +GREP=/bin/grep +SED=/bin/sed + +LOCK_OWNER=`$SVNLOOK lock "$REPOS" "$PATH" | \ + $GREP '^Owner: ' | $SED 's/Owner: //'` + +# If we get no result from svnlook, there's no lock, return success: +if [ "$LOCK_OWNER" = "" ]; then + exit 0 +fi + +# If the person unlocking matches the lock's owner, return success: +if [ "$LOCK_OWNER" = "$USER" ]; then + exit 0 +fi + +# Otherwise, we've got an owner mismatch, so return failure: +echo "Error: $PATH locked by ${LOCK_OWNER}." 1>&2 +exit 1 diff --git a/hooks/start-commit.tmpl b/hooks/start-commit.tmpl new file mode 100644 index 0000000..c06647d --- /dev/null +++ b/hooks/start-commit.tmpl @@ -0,0 +1,65 @@ +#!/bin/sh + +# START-COMMIT HOOK +# +# The start-commit hook is invoked before a Subversion txn is created +# in the process of doing a commit. Subversion runs this hook +# by invoking a program (script, executable, binary, etc.) named +# 'start-commit' (for which this file is a template) +# with the following ordered arguments: +# +# [1] REPOS-PATH (the path to this repository) +# [2] USER (the authenticated user attempting to commit) +# [3] CAPABILITIES (a colon-separated list of capabilities reported +# by the client; see note below) +# +# Note: The CAPABILITIES parameter is new in Subversion 1.5, and 1.5 +# clients will typically report at least the "mergeinfo" capability. +# If there are other capabilities, then the list is colon-separated, +# e.g.: "mergeinfo:some-other-capability" (the order is undefined). +# +# The list is self-reported by the client. Therefore, you should not +# make security assumptions based on the capabilities list, nor should +# you assume that clients reliably report every capability they have. +# +# The working directory for this hook program's invocation is undefined, +# so the program should set one explicitly if it cares. +# +# If the hook program exits with success, the commit continues; but +# if it exits with failure (non-zero), the commit is stopped before +# a Subversion txn is created, and STDERR is returned to the client. +# +# On a Unix system, the normal procedure is to have 'start-commit' +# invoke other programs to do the real work, though it may do the +# work itself too. +# +# Note that 'start-commit' must be executable by the user(s) who will +# invoke it (typically the user httpd runs as), and that user must +# have filesystem-level permission to access the repository. +# +# On a Windows system, you should name the hook program +# 'start-commit.bat' or 'start-commit.exe', +# but the basic idea is the same. +# +# The hook program typically does not inherit the environment of +# its parent process. For example, a common problem is for the +# PATH environment variable to not be set to its usual value, so +# that subprograms fail to launch unless invoked via absolute path. +# If you're having unexpected problems with a hook program, the +# culprit may be unusual (or missing) environment variables. +# +# Here is an example hook script, for a Unix /bin/sh interpreter. +# For more examples and pre-written hooks, see those in +# the Subversion repository at +# http://svn.collab.net/repos/svn/trunk/tools/hook-scripts/ and +# http://svn.collab.net/repos/svn/trunk/contrib/hook-scripts/ + + +REPOS="$1" +USER="$2" + +commit-allower.pl --repository "$REPOS" --user "$USER" || exit 1 +special-auth-check.py --user "$USER" --auth-level 3 || exit 1 + +# All checks passed, so allow the commit. +exit 0 diff --git a/locks/db-logs.lock b/locks/db-logs.lock new file mode 100644 index 0000000..536ac36 --- /dev/null +++ b/locks/db-logs.lock @@ -0,0 +1,3 @@ +This file is not used by Subversion 1.3.x or later. +However, its existence is required for compatibility with +Subversion 1.2.x or earlier. diff --git a/locks/db.lock b/locks/db.lock new file mode 100644 index 0000000..536ac36 --- /dev/null +++ b/locks/db.lock @@ -0,0 +1,3 @@ +This file is not used by Subversion 1.3.x or later. +However, its existence is required for compatibility with +Subversion 1.2.x or earlier. -- 2.26.2