SVN authorization

Rainer Müller raimue at macports.org
Thu Aug 6 06:44:23 PDT 2015 

Hello Craig,

On 2015-08-06 14:52, Craig Treleaven wrote:
>> On Aug 5, 2015, at 11:20 PM, Mihai Moldovan <ionic at macports.org> wrote:
>>
>> On 06.08.2015 02:53 AM, Craig Treleaven wrote:
>>> I vaguely recall running an svn command to add MacPorts as a trusted server (or some-such) but I don’t recall the details.  
>>>
>>> Could someone point me in the right direction?
>>
>> Refer to https://trac.macports.org/wiki/howto/SyncingWithSVN and specifically to
>> Step 3 under "Configuration”.
> 
> Thanks for the pointer.  As I read the page, I only need to do the second part--storing the certificate file in [blah]/.subversion/auth/svn.ssl.server.  However, trying to selfupdate, I still get:
> 
> --->  Updating the ports tree
> Synchronizing local ports tree from file:///Users/craigtreleaven/mp/ports
> Updating '.':
> svn: E175002: Unable to connect to a repository at URL 'https://svn.macports.org/repository/macports/trunk/dports'
> svn: E175002: OPTIONS of 'https://svn.macports.org/repository/macports/trunk/dports': Server certificate verification failed: issuer is not trusted (https://svn.macports.org)
> Command failed: /usr/bin/svn update --non-interactive /Users/craigtreleaven/mp/ports
> Exit code: 1
> 
> 
> I wonder if it is the ownership/permissions of the certificate file.  The wiki page doesn’t say so, but I had to use ‘sudo’ to create the directory and write the certificate file to it. 
> 
> $ sudo ls -al /opt/local/var/macports/home/.subversion/auth/svn.ssl.server
> total 8
> drwxr-xr-x  3 root  admin   102  6 Aug 08:27 .
> drwx------  6 root  admin   204  5 Aug 20:19 ..
> -rw-r--r--  1 root  admin  1806  6 Aug 08:27 9368d05e066fecedad33aa815bbaf7cc

Only root will be able to read this file (due to permissions on "..").
MacPorts automatically runs the update command as the user owning the
Subversion working copy, so you need to configure it for that user. The
instructions in the wiki assume the ports tree will be owned by the
macports user.

> Finally, I checked a backup of my 10.6 volume and I didn’t even have a '/opt/local/var/macports/home/.subversion/auth/svn.ssl.server’ directory?

Back then, /usr/bin/svn was still able to verify SSL certificates for
HTTPS. Apple broke this with OS X 10.7 Lion and never fixed it.
/usr/bin/svn does not have any list of trusted authorities and
therefore always display this certificate warning requiring manual
acknowledgement to continue.

Side note: if you install the subversion port and either curl-ca-bundle
or certsync, certificate verification for HTTPS should just work using
/opt/local/bin/svn.

I prefer to keep the ports tree in my home directory, where I also keep
everything else I am working on. As MacPorts automatically switches to
the user owning the ports tree, this works just fine and also uses my
configuration of Subversion. But I need to ensure that the macports
user is able to read the Portfiles (and accompanying patches). My setup
is as follows:

In my /opt/local/etc/macports/sources.conf I have the following entry:
file:///Users/raimue/src/macports/trunk/dports/ [default]

The permissions on this path are the following, especially I need the
x-bit to allow any user to traverse through my home directory:
  drwxr-xr-x    6 root    admin   204 Feb 21 21:32 /Users
  drwxr-xr-x+ 227 raimue  staff  7718 Aug  6 15:26 /Users/raimue
   0: group:everyone deny delete
  drwx--x--x  117 raimue  staff  3978 Jul 27 10:54 /Users/raimue/src
  drwxr-xr-x   23 raimue  staff   782 Jun  7 13:03 /Users/raimue/src/macports
  drwxr-xr-x+  12 raimue  staff   408 Mar  7 16:21 /Users/raimue/src/macports/trunk
   0: group:everyone allow list,search,file_inherit,directory_inherit
  drwxr-xr-x+  52 raimue  staff  1768 Aug  5 15:14 /Users/raimue/src/macports/trunk/dports
   0: group:everyone allow list,search,file_inherit,directory_inherit

These additional ACL entries make sure that the macports user is able
to read Portfiles in the ports tree (not sure why I have that one on
$HOME itself, is it default?). I could have made them less permissive,
but the tree should not contain anything private anyway. They ensure
that all newly created files get the correct permissions. Only when
moving files from somewhere else into the ports tree I need to be more
cautious and apply the ACL rules once again.

The command to set these ACLs would be:
chmod -R +a "group:everyone allow read,execute,list,search,file_inherit,directory_inherit" <DIR>

Hopefully that helps you with your own setup.

Rainer

More information about the macports-dev mailing list