Subversion Installation on Debian with Plesk – Without Security Issue

Available at http://www.bluehelp.de/tutorial/svn-debian-plesk.html there is a good (German) description on how to set up a Subversion repository on a Debian system if also Parallels Plesk Panel is installed. However, there is one thing that needs improvement there: When generating the HTTP password file with the two commands it happens with

htpasswd –cs /var/svnrepo/dav_svn.passwd alice
htpasswd –s /var/svnrepo/dav_svn.passwd tom

However, this implies that the password file is being generated with unix rights rw-r–r– and author/group with the current user. It is well-known that password files which are world-readable are bad idea in any case and cause a security risk.
Thus, I would like to enhance the statement on that page there by recommending to issue the following additional commands:

chown .www-data /var/svnrepo/dav_svn.passwd
chmod o-r /var/svnrepo/dav_svn.passwd

By this the file still is readable by the Apache Webserver, but no “other” users will be allowed to read the contents of the hashed password file.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Leave a Reply

Your email address will not be published. Required fields are marked *

*