50

I have set up a Linux Server and installed Apache and SVN and dav_svn on it. Now, when I try to upload to https://x.x.x.x:x/svn/repo with Tortoise SVN I get 

Can't open file '/server/svn/repo/db/txn-current-lock': Permission denied

I have Set up my SSL correctly (I can checkout, no problems, even remotely due to Port Forwarding).

I'm guessing this has to do with the Linux Ownership of the Repository folders, How must I set this/ what are the commands?

Braiam
  • 1
  • 11
  • 47
  • 78
wsd
  • 1,246
  • 4
  • 16
  • 22

8 Answers8

69

This is a common problem. You're almost certainly running into permissions issues. To solve it, make sure that the apache user has read/write access to your entire repository. To do that, chown -R apache:apache *, chmod -R 664 * for everything under your svn repository.

Also, see here and here if you're still stuck.

Update to answer OP's additional question in comments:

The "664" string is an octal (base 8) representation of the permissions. There are three digits here, representing permissions for the owner, group, and everyone else (sometimes called "world"), respectively, for that file or directory.

Notice that each base 8 digit can be represented with 3 bits (000 for '0' through 111 for '7'). Each bit means something:

  • first bit: read permissions
  • second bit: write permissions
  • third bit: execute permissions

For example, 764 on a file would mean that:

  • the owner (first digit) has read/write/execute (7) permission
  • the group (second digit) has read/write (6) permission
  • everyone else (third digit) has read (4) permission

Hope that clears things up!

Alexander
  • 23,432
  • 11
  • 63
  • 73
John Feminella
  • 303,634
  • 46
  • 339
  • 357
  • Thanks, this helps. I changed the owner to the www-data user, And was able to commit my changes. Is there a good site to learn how chmod works? I cant seem to find any pattern behind the numbers (664?) – wsd Jun 06 '09 at 18:54
  • The man page of chmod explains the octal numbers. You can also use characters at least on Linux distributions since several years -- `chmod -R a+rwx *` is somewhat more understandable to most humans. – bluebrother Jun 06 '09 at 21:53
  • Genius! Thanks a lot, I never knew Linux was THAT sophisticated. – wsd Jun 08 '09 at 08:43
  • 1
    I solved this problem on Windows Server 2003 by giving full control of the repository directory to the svn user. – Jason Jan 05 '10 at 21:30
  • 5
    The top part of your answer -- in grey highlight -- says chmod 664, but I think you meant 764? – Shane H Dec 15 '10 at 22:25
  • @Encoderer: No, 664. You usually don't want to make a svn repo executable except in limited cases. – John Feminella Dec 29 '11 at 23:03
  • 3
    To prevent problems with directories, try this: `find . -type d -exec chmod 755 {} \;` `find . -type f -exec chmod 644 {} \;` – Terence Johnson Jul 03 '12 at 18:59
  • Depending on your configuration you may actually want chmod -R 770 repoName, otherwise users might receive the message _Could not open the requested SVN filesystem_. – Steve Swinsburg May 02 '13 at 08:37
  • chmod -R 774 did it for me or I couldn't commit as another user through svn+ssh. – Jonny Apr 12 '16 at 09:57
13

It's permission problem. It is not "classic" read/write permissions of apache user, but selinux one.

Apache cannot write to files labeled as httpd_sys_content_t they can be only read by apache.

You have 2 possibilities:

  1. label svn repository files as httpd_sys_content_rw_t:

    chcon -R -t httpd_sys_content_rw_t /path/to/your/svn/repo

  2. set selinux boolean httpd_unified --> on

    setsebool -P httpd_unified=1

I prefer 2nd possibility. You can play also with other selinux booleans connected with httpd:

getsebool -a | grep httpd
giosans
  • 1,136
  • 1
  • 12
  • 30
mezek
  • 155
  • 2
  • 7
  • 3
    The problem with option 1 is that if the file system ever gets relabeled again (happens sometimes on reboot), then your changes are gone. A better option (which I prefer over your option 2) is to "teach" SELinux's policy that its OK for apache to write to certain directories: `semanage fcontext -a -t httpd_sys_content_rw_t "/path/to/your/svn/repo(/.*)?"` and then relabel this path using `restorecon -R /path/to/your/svn/repo`. This is more secure because you use SELinux for what it is designed: specifying exactly what is allowed and what isn't. – Guss Nov 14 '11 at 17:13
  • +1 if that seems a bit overkill, you can disable SELinux at all following http://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html – ATorras Oct 22 '14 at 17:32
  • This may have changed between Red Hat/CentOS/... generations. For things to work on an RHEL 7.3 installation, I had to do the following: `semanage fcontext -a -t httpd_sys_rw_content_t "/SOME/PATH/TO/repos/.*"` followed by `restorecon -R /SOME/PATH/TO/repos` followed by `systemctl restart httpd` (The last command might not be needed, though.) – Troels Arvin Jun 02 '17 at 14:28
3

I also had this problem recently, and it was the SELinux which caused it. I was trying to have the post-commit of subversion to notify Jenkins that the code has change so Jenkins would do a build and deploy to Nexus.

I had to do the following to get it to work.

1) First I checked if SELinux is enabled:

    less /selinux/enforce

This will output 1 (for on) or 0 (for off)

2) Temporary disable SELinux:

    echo 0 > /selinux/enforce

Now test see if it works now.

3) Enable SELinux:

    echo 1 > /selinux/enforce

Change the policy for SELinux.

4) First view the current configuration:

    /usr/sbin/getsebool -a | grep httpd

This will give you: httpd_can_network_connect --> off

5) Set this to on and your post-commit will work with SELinux:

    /usr/sbin/setsebool -P httpd_can_network_connect on

Now it should be working again.

Humphrey
  • 33
  • 4
  • 1
    Something weird happens to me. If i set _selinux enforce_ to 0 I can commit changes and the repository will notify jenkins and the job will get executed, etc. But when I set the enforce back to 1 and the _httpd_can_network_connect on_ I get the _svn: E000013: Commit failed (details follow): svn: E000013: Can't open file '/usr/share/svn-repositories/ci_repo/db/txn-current-lock': Permission denied_ when I try to commit. The folder's repository owner is apache. I also tried setting the permissions to 766 as recommeded by @JohnFerminella. What are the repercussions of having the _enforce 0_? – Jonathan Morales Vélez Jul 31 '13 at 23:25
  • I just enforced to 0 before disabling SELinux. Now it works perfectly to me. – ATorras Oct 22 '14 at 17:34
2

for example on debian

sudo gpasswd -a svn-admin www-data
sudo chgrp -R www-data svn/
sudo chmod -R g=rwsx svn/
puchu
  • 3,294
  • 6
  • 38
  • 62
0

In addition to the repository permissions, the /tmp directory must also be writeable by all users.

Lofty Lion
  • 117
  • 1
  • 6
0

I just had this problem

  1. Having multiple user using the same repo caused the problem
  2. Logout evey other user using the repo

Hope this helps

Pascal
  • 2,377
  • 3
  • 25
  • 40
0

3 Steps you can follow

  1. chmod -R 775 <repo path>  
---> change permissions of repository

  2. chown -R apache:apache <repo path>  
---> change owner of svn repository

  3. chcon -R -t httpd_sys_content_t <repo path>  
----> change SELinux security context of the svn repository
wsd
  • 1,246
  • 4
  • 16
  • 22
Dreem Job
  • 1
-1

Try to disable SELinux by this command /usr/sbin/setenforce 0. In my case it solved the problem.

Stanley
  • 5,057
  • 4
  • 34
  • 44
vladimir
  • 15
  • 1