I want our developers (including moi) to be able to run svn update as user www-data on our server, for file/directory permissions.
My solution was to grant access to run sudo -u www-data svn with NOPASSWD in visudo. I also added an alias for this command, and named it svn to make it transparent for our developers.
This works, but I am asked for svn credentials every time (it doesn't save, even if I tell it to). I am thinking about adding the -i parameter, though I thought I should check with you guys first :)
How do I make this as smooth as running the svn update command normally?
Clarification: It is working now. I just don't want to enter my svn credentials every time I run svn update :)
I am not entirely sure, but passing
-Has an argument to sudo might take care of the credentials issue (being asked each time).This will set the HOME environment variable to /root by default, so I would guess that then the svn client my then know to look in /root/.subversion for the auth information. Specify a different home directory for wherever the credentials should be for your specific case. Also, make sure whatever use can write/read to that file.
Isn't this what setuid was made for? Create a script or compiled binary (depending on your security requirements) that does the update (one
systemcall should do it), and have it setuid and owned by www-data.Why not try running it with svn update --username wwwdata
This behaviour is implemented differently between different distros - which are you using?
For RHEL5:
Cmnd_Alias SVN = /usr/bin/svn herbert ALL = NOPASSWD: SVNAlternatively you can achieve the same thing with a single script (to restrict the user to a subset of the target program's functionality)