CSC has commissioned a Subversion (svn) server which enables all users to maintain their own svn repositories and give fine grained access rights to other collaborators and students. SVN is a popular and effective tool for version control of programs, documents and designs; and for collaborative development and long term maintenance of programs and designs. All users of CSC can create their own SVN repositories. Students are encouraged to use this facility for collaborative projects and assignments.
The svn repositories reside in a special directory, svn, in the user'shome spaces and CIFS shares. Please note that $HOME will refer to the location of user home directory from now on. For example, $HOME for the user cs1070170 will be '/home/cse/btech/cs1070170'.home directory. The CSC home directories are available as the default homes in any CSC desktop (Windows or Linux) and the remote ssh servers ssh1.iitd.ernet.in and ssh2.iitd.ernet.in. Alternatively, the CSC home directories can be mounted on remote desktops and laptops using CIFS. For more information about how to access the CSC home using CIFS, please visit the link
Creating new repositories:
To be able to use svn, the user needs to create a directory $HOME/svn. New repositories can then be created by navigating to$HOME/svn and issuing the command 'svnadmin create repo-name', where repo-name is the name of the repository. This command can be executed from any CSC machine, or even from users local machines with a CIFS mount of the home directory. A file $HOME/svn/authz also needs to be created for access control (see the section Maintaining Access Control). Other fine grained operations can also be performed on the repository using the tool 'svnadmin', see `man svnadmin' for details.
Accessing the repositories:
The repositories can be accessed from the URL https://svn.iitd.ernet.in/~/, where is the username, and is the name of the repository. For example, a repository named 'test-repo' owned by the ser 'cs1070170' can be accessed from the URL https://svn.iitd.ernet.in/~cs1070170/test-repo. The various files in the repository can be browsed in a read only mode by pointing the web-browser to the specified URL, or in a read-write mode (depending upon the access control maintained by the repository owner) using any svn-client. For a comparison of popular svn-client softwares please see http://en.wikipedia.org/wiki/Comparison_of_Subversion_clients.
Note that the svn client can raise a warning like "Error validating server certificate". To remedy this, the IITD CA certificate must be installed in the client. Please see the certificates section for details.
Maintaining Access Control:
The repository owner can set fine grained access control using a file $HOME/svn/authz. Read or read-write access to the complete repository, or part of the repository can be granted to individual users, on a per repository basis. A minimalistic access control would be to grant read-write access for all the repositories to the owner.
Format of the authz file:
An example first:
[/] cs1070170@IITD.ERNET.IN = r [repository-1:/] cs1070170@IITD.ERNET.IN = rw suban@IITD.ERNET.IN = r [repository-2:/trunk/src] cs1070170@IITD.ERNET.IN = rw nck@IITD.ERNET.IN = rw
The first part gives a read only access to the user cs1070170. '[/]'refers to all the repositories, ' ' is the user (all the usernames have to be appended with @IITD.ERNET.IN), and 'r' means read only access.
The second part is for the repository 'repository-1'.'[repository-1:/]' refers to the complete repository tree, and it grants a read-write access to user cs1070170, and a read-only access to user suban.
The third part deals with subtrees in a repository. It gives a read-write access to the users cs1070170 and nck for the subtree /trunk/src in repository-2.
For a complete explanation of the format and more examples, please refer to authz format
A note on Security and file permissions:
All the accesses to the SVN repositories are made through the webDAV protocol. For implementing webDAV, we use Apache web server with DAV SVN, additionally configured with an MPM (Multi-Processing Module) which forks a worker thread with the permission of the user whose SVN repositories are being accessed. This way, the permissions of all the files/directories created as a result of commits are owned by the user to whose repository the commit is performed. This is an improvement over the other approach of setting the file permissions using a cron-job. Also, this facilitates the users to use custom hooks for the actions related to the repositories (though in this case, the hooks are executed with the permission of repository owner, rather than the traditional www-data).
Though this model eliminates the need for complicated file permissions for repository, execute permission for the world is still required for the user's home directory ($HOME). To make sure that nobody other than the legitimate users can access the repository, it is advised to restrict the permissions of the individual repositories to the owner.
The minimal file permissions, yet a working repository (for the user cs1070170 and with home directory /home/cse/btech/cs1070170) are as follows:
drwx-----x cs1070170 cs107 /home/cse/btech/cs1070170 drwx------ cs1070170 cs107 /home/cse/btech/cs1070170/svn
Please note that file permissions of files/directories in the subtree /home/cse/btech/cs1070170/svn don't matter, as long as all permissions to everybody other than the owner are revoked for /home/cse/btech/cs1070170/svn