Bug #23827 for SVN-Web: Running under mod

Wed Dec 06 11:37:39 2006 jpeacock [...] cpan.org - Ticket created

Subject:

Running under mod_perl [as root] fails

Using the svn-client branch from Subversion, the follow error is displayed: Permission denied: Can't open file '/root/.subversion/servers': Permission denied at /usr/lib/perl5/site_perl/5.8.8/SVN/Web.pm line 266 That line is: $REPOS{$cfg->{repos}}{client} = SVN::Client->new(); which seems to suggest that SVN::Client is trying to use the root UID, even though Apache is running as wwwrun. If the Apache process is run as some other user (like during the tests), it works fine, as does running the svnweb-server process instead of mod_perl.

Wed Dec 13 15:44:23 2006 NIKC [...] cpan.org - Correspondence added

On Wed Dec 06 11:37:39 2006, JPEACOCK wrote: Show quoted text

> Using the svn-client branch from Subversion, the follow error is

displayed: Show quoted text

> > Permission denied: Can't open file '/root/.subversion/servers': > Permission denied at /usr/lib/perl5/site_perl/5.8.8/SVN/Web.pm line 266 > > That line is: > > $REPOS{$cfg->{repos}}{client} = SVN::Client->new(); > > which seems to suggest that SVN::Client is trying to use the root UID, > even though Apache is running as wwwrun. If the Apache process is run > as some other user (like during the tests), it works fine, as does > running the svnweb-server process instead of mod_perl.

I can't reproduce that. Can you try again, using trunk (I've merged the svn-client branch to trunk now), and let me know the revision number you have checked out. Does it fail if run the tests as root (e.g., "sudo prove t/mod_perl.t") ? If you still have the problem can you also let me know the versions of Subversion and Apache that you're using, and the contents of the httpd.conf file that it's testing with (you'll need to edit SVN::Web::Test and change the 'CLEANUP' around line 188 from '1' to '0' so that the temporary directory isn't removed).

Wed Dec 13 15:44:27 2006 The RT System itself - Status changed from 'new' to 'open'

Wed Dec 13 16:31:53 2006 jpeacock [...] rowman.com - Correspondence added

Subject:	Re: [rt.cpan.org #23827] Running under mod_perl [as root] fails
Date:	Wed, 13 Dec 2006 16:31:15 -0500
To:	bug-SVN-Web [...] rt.cpan.org
From:	John Peacock <jpeacock [...] rowman.com>

via RT wrote: Show quoted text

> I can't reproduce that. Can you try again, using trunk (I've merged the > svn-client branch to trunk now), and let me know the revision number you > have checked out.

I tried again with the new trunk but it didn't make any difference. I'm also having a hard time recreating it outside of the Apache configuration file (attached). I think it has several pre-requisites: 1) log in as root (your real UID must be 0); 2) drop privileges exactly like Apache does (su/sudo are too complete); 3) run tests and see them fail??? Show quoted text

> Does it fail if run the tests as root (e.g., "sudo prove t/mod_perl.t") ?

No, because the real UID is me (non-root account), so SVN::Client pulls _my_ Subversion configuration. This may be SVN::Client's fault, but your code is feeling the pain... :( Show quoted text

> If you still have the problem can you also let me know the versions of > Subversion and Apache that you're using, and the contents of the > httpd.conf file that it's testing with (you'll need to edit > SVN::Web::Test and change the 'CLEANUP' around line 188 from '1' to '0' > so that the temporary directory isn't removed).

Apache 2.2.0 (SLES 10.0 RPM) Subversion 1.4.2 (compiled from source) I just noticed that SUSE now has an upgraded Apache 2.2.3 RPM, so I'll confirm that this bug hasn't been fixed. John -- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748

# # VirtualHost template: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. # <VirtualHost *:80> ServerAdmin webmaster@subversion.internal ServerName subversion.internal # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. DocumentRoot /srv/www/vhosts/svn-web # if not specified, the global error log is used ErrorLog /var/log/apache2/subversion.internal-error_log CustomLog /var/log/apache2/subversion.internal-access_log combined # don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts UseCanonicalName Off # configures the footer on server-generated documents ServerSignature On <Directory "/srv/www/vhosts/svn-web/"> DefaultType text/html SetHandler perl-script PerlHandler SVN::Web Order allow,deny Allow from all </Directory> <Directory "/srv/www/vhosts/svn-web/css"> SetHandler default-handler Order allow,deny Allow from all </Directory> </VirtualHost>

Wed Dec 13 16:56:11 2006 jpeacock [...] rowman.com - Correspondence added

Subject:	Re: [rt.cpan.org #23827] Running under mod_perl [as root] fails
Date:	Wed, 13 Dec 2006 16:55:54 -0500
To:	bug-SVN-Web [...] rt.cpan.org
From:	John Peacock <jpeacock [...] rowman.com>

John Peacock via RT wrote: Show quoted text

> I tried again with the new trunk but it didn't make any difference. I'm > also having a hard time recreating it outside of the Apache > configuration file (attached). I think it has several pre-requisites: > > 1) log in as root (your real UID must be 0); > 2) drop privileges exactly like Apache does (su/sudo are too complete); > 3) run tests and see them fail???

OK, you can mark this ticket as WONTFIX because I've just confirmed that this is clearly a problem with SVN::Client. I have a script (attached) which properly drops privileges like Apache does and SVN::Client freaks out exactly the same as it is used in SVN::Web. Run it as 'sudo ./test' and watch the fireworks! John -- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748

#!/usr/bin/perl -w use POSIX qw(:sys_wait_h :errno_h :signal_h); use SVN::Client; use Data::Dumper qw/Dumper/; my $USER = $ENV{SUDO_USER}; # Drop privileges my (undef, undef, $quid, $qgid) = getpwnam $USER or die "unable to determine uid/gid for $USER\n"; my $groups = "$qgid $qgid"; while (my ($name,$passwd,$gid,$members) = getgrent()) { my @m = split(/ /, $members); if (grep {$_ eq $USER} @m) { $groups .= " $gid"; } } $) = $groups; POSIX::setgid($qgid) or die "unable to change gid: $!\n"; POSIX::setuid($quid) or die "unable to change uid: $!\n"; $> = $quid; my $client = SVN::Client->new(); print Dumper($client);

Wed Dec 13 17:21:56 2006 jpeacock [...] rowman.com - Correspondence added

Subject:	Re: [rt.cpan.org #23827] Running under mod_perl [as root] fails
Date:	Wed, 13 Dec 2006 17:21:50 -0500
To:	bug-SVN-Web [...] rt.cpan.org
From:	John Peacock <jpeacock [...] rowman.com>

OK, I've got a workaround. Apply this patch: Index: lib/SVN/Web.pm =================================================================== --- lib/SVN/Web.pm (revision 1280) +++ lib/SVN/Web.pm (working copy) @@ -263,7 +263,7 @@ # Create a default pool for the action's allocation my $pool = SVN::Pool->new_default(); - $REPOS{$cfg->{repos}}{client} = SVN::Client->new(); + $REPOS{$cfg->{repos}}{client} = SVN::Client->new(config=>{}); $html = $action->run(); and mod_perl works just fine. John -- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748

Thu Jan 11 17:13:17 2007 NIKC [...] cpan.org - Correspondence added

Fixed in http://jc.ngo.org.uk:80/svnweb/jc/revision/?rev=1281. Thanks.

Thu Jan 11 17:13:18 2007 NIKC [...] cpan.org - Status changed from 'open' to 'resolved'

Bug #23827 for SVN-Web: Running under mod_perl [as root] fails