Subversion and mod_dav_svn: Why make www-data the owner of the files instead of root?

Question

I've set up a dedicated Subversion server with Apache and mod_dav_svn on Ubuntu 9.10 Server, and I've got everything working fine at this point. However, I noticed that when it comes to assigning the right file permissions to the repository directory, most tutorials telll you to do something like this:

sudo chown -R www-data:www-data /svn/myrepo # make www-data the owner of the repo so Apache
                                            # can write to it
sudo chmod -R g+ws /svn/myrepo  # Give the www-data group write access as well, and enable
                                # setgid so that new directories have that group

Now, I did it a little differently. I created a new subversion group, and made that the owner of the repository, then added myself and www-data to that group, the reasoning being that this way I can edit the configuration files in /svn/myrepo/conf and the hook scripts in /svn/myrepo/hooks, and it also keeps Apache and Subversion a bit more separate from each other. I've seen other tutorials recommend something similar, but then tell you to do this:

sudo chwown -R www-data:subversion /svn/myrepo
sudo chmod -R g+ws /svn/myrepo

These same tutorials imply that you are creating the subversion group specifically to keep Subversion and Apache mostly separate from each other, so why do they turn around and make www-data the owner of the files? Is there any good reason to make www-data the owner of the repository files at all? Why not just make root the owner? It seems like keeping www-data as the owner of the repository unnecessarily ties Subversion "too much" to Apache. Is there any good reason to make the owner www-data instead of root, as long as the group is still subversion?

Answer 1

You wouldn't typically want root to be the owner of the repository because that would mean that apache (httpd) had to be running as root in order to access the svn repository, which is usually considered a security risk.

In my experience, you mostly interact with subversion via apache. Since that is the case, it seems easier and more natural to just let apache (www-data) be the owner of the subversion repository. If you have created your subversion repository in a separate directory structure from your web sites, there should be no confusion about which files are used for what. For example, I have /data/www for my websites and /data/svn for my svn repositories.

Then to allow yourself the ability to modify the repository config files and hook scripts, just make yourself a member of the www-data group and perform the:

sudo chmod -R g+ws /svn/myrepo

as you mentioned above and you're good to go.

I don't see a benefit to separating the svn repository owner from the apache user, but if you really insisted on doing that, you could create a subversion user in addition to the subversion group and make the owner of /svn/myrepo be subversion:subversion. Then just make yourself and apache a member of the subversion group and modify the directory permissions as above.

Answer 2

IIRC, Apache only needs write access to the "dav", "db", and "locks" directories. It doesn't matter if it's via user or group ownership. There's no reason for Apache to have write access to "conf" and "hooks" in most cases.