I had similar concerns about exposing my Subversion repositories to unauthorized access via Codestriker. Here are some hints on how to secure Subversion/Codestriker integration through Apache. The notes below are specific to my configuration (Debian Linux; using a MySQL database) so you may need modify them to work for your specific configuration.

Setting up Subversion repositories and codestriker databases with authorization control.

1) Add codestriker user to the apache2 password file (only needs to be done once).

> htpasswd2 /var/lib/svn/dav_svn.passwd codestriker
New password: <cs_apache_password>
Re-type new password: <cs_apache_password>

2) Intialize the codestriker database:

> mysql -u root -p
password:
create database cs<Database_name>db; (Ex. <Database_name> = StevesLab, Training, Apps, ....)
grant select, insert, update, delete, index, alter, create, drop, references on
cs<Database_name>db.* to codestriker@localhost identified by '<cspasswd>';
flush privileges;
quit

To check the database:

> mysql -u codestriker -D cs<Database_name>db -p

To delete a database:

drop database cs<Database_name>db

3) Duplicate the codestriker source code, initialize and check the setup:

> cd /var/www/codestriker
> cp -pr codestriker-1.8.5 codestriker-<repos-name> (Ex. <repos-name> = steves-lab, training, apps, ....)
> cd codestriker-<repos-name>

Edit the codestriker.conf file and make the following changes:

$db = 'DBI:mysql:dbname=cs<Database_name>db';
$dbuser = 'codestriker';
$dbpasswd = '<cspasswd>';
$codestriker_css = 'http://<hostname>/codestrikerhtml/codestriker.css';
'svn:http://<hostname>/svn/repos/<repos-name>;codestriker;<cs_apache_password>',
$title = "Codestriker $Codestriker::VERSION (<repos-name>)

(edit other configuration values as needed)

************************ WARNING ************************************
For security reasons the following template file needs to be modified.
Otherwise, the repository password will be displayed.

> cd template/en
> cp -rp default custom
> cd custom
edit viewtopicproperties.html.tmpl
goto approximately line 140
Change code below FROM: -
TO: +

[% IF topic_repository != '' %]
<tr class="tt1">
<td>Repository:</td>
[% FOREACH entry = repositories %]
[% IF entry == topic_repository %]
- <input type="hidden" name="repository" value="[% topic_repository %]" readonly>
- <td>[% entry | html_entity %]</td>
+ <input type="hidden" name="repository" value="" readonly>
+ <td>[% "http://<hostname>/svn/repos/<repos_name>" %]</td>
[% END %]
[% END %]
</tr>


> cd ../../../bin
> ./checksetup.pl

4) Add information to the codestriker apache configuration file and restart apache.

> cd /etc/apache2/conf.d
edit codestriker.conf as follows:

Add:

ScriptAlias /codestriker-<repos-name>/ "/var/www/codestriker/codestriker-<repos-name>/cgi-bin/"

<Location "/codestriker-<repos-name>">
# SetHandler perl-script
# PerlHandler ModPerl::Registry
Options +ExecCGI
AddHandler cgi-script .pl
AuthType Basic
AuthName "Codestriker for steves-lab Repository"
AuthUserFile /var/lib/svn/dav_svn.passwd
AuthGroupFile /var/lib/svn/dav_svn.group
# Require group steves-lab-write
</Location>


> apache2ctl graceful

5. Give codestriker read access to the repositories.

> cd /var/lib/svn
edit dav_svn.authz

Add:

codestriker = r (under each repository using codestriker)


-----Original Message-----
From: Aaron Wilson <Aaron.I.Wilson@nasa.gov>
Sent: Thu Mar 10 10:01:56 CST 2005
To: codestriker-user@lists.sourceforge.net
Subject: [Codestriker-user] Security?


<html>
<body>
Developers,<br><br>
I just read an article in IEEE Software magazine (Jan/Feb 2005 Vol 22 No
1) regarding CodeStriker.&nbsp; Here at the NASA IV&amp;V Facility we
perform manual code reviews on numerous mission/safety critical software,
which CodeStriker could be valuable in this regards.&nbsp; However, I did
not see anywhere in the article or on the CodeStriker's homepage
regarding security.&nbsp; Can projects be restricted by
username/password?&nbsp; Basically, we need to be able to specify a
group-level access to a project where users can belong to multiple
groups.&nbsp; Is this currently implemented?&nbsp; If not, do you foresee
any problems if this was to be implemented?<br><br>
Regards,<br><br>
<x-sigsep><p></x-sigsep>
<font face="Georgia" size=5>Aaron I. Wilson<br>
</font><font size=1 color="#000080">AST: Computer Engineer<br>
TEL:&nbsp; (304) 367-8299<br>
FAX:&nbsp; (304) 367-8203<br>
<a href="mailto:Aaron.I.Wilson@nasa.gov">Aaron.I.Wilson@nasa.gov</a>
<br>
<a href="http://www.ivv.nasa.gov/" eudora="autourl">http://www.ivv.nasa.gov/</a></font></body>
</html>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Codestriker-user mailing list
Codestriker-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/codestriker-user