Updating Subversion from PHP on Windows - Permissions-related (Access Denied)_问答_开发者

Updating Subversion from PHP on Windows - Permissions-related (Access Denied)

开发者 https://www.devze.com 2023-04-09 08:04 出处：网络

I have written a PHP script which updates a SVN working copy. It works fine on m开发者_JS百科y development machine (W2k3 Server)but I cannot get it to work on a production server (W2k8 Server). I\'m

I have written a PHP script which updates a SVN working copy.

It works fine on m开发者_JS百科y development machine (W2k3 Server)but I cannot get it to work on a production server (W2k8 Server). I'm using the latest Collabnet Subversion binaries (1.6.17).

Here's the PHP code:

$command = 'svn update C:\inetpub\wwwroot\mysite --config-dir C:\Windows\Temp'; 

$response = array();
$handle = popen("$command 2>&1", 'r');
$read = '';
while( $read = fread( $handle, 20096 ) ) 
{
    $response[] = $read;
}
pclose( $handle );
flush();

echo '<h2>Command</h2><p> ' . $command . '</p>';
echo '<h2>Response</h2><p>' . implode( '<br />', $response ) . '</p>';

When I run the same command from the command prompt it works fine. But when I run it through IIS, I get:

svn: Can't open file 'C:\inetpub\wwwroot\mysite.svn\lock': Access is denied.

Presumably I need elevated permissions but I have no idea how to implement it.

I've tried giving the _IUSR account full control of the folder containing svn and the C:\inetpub\wwwroot\mysite.svn\ folders but it makes no difference.

Thanks

Had issues just like this with SVN and Windows Server 2008. The issue is caused by the UAC stuff that typically prevents someone from changing a file if they don't own the file. In the case of SVN, the issue was typically that one user performed the initial checkout, creating the .svn folders and associated bits. Then a different user went to svn up and got OS-level access issues about modifying the SVN database files.

Unfortunately, the best fix we could get to was disabling UAC. Actually solved a few other problems and it really makes sense on servers. If it is running as a scheduled task then you could try "run with highest priviliges" but elevating that much makes little sense for a web app.

Account IUSR_COMPUTERNAME must have read/write access to the folder C:\inetpub\wwwroot\mysite.svn if it is a checkout.
Next (not sure), you may need to give write access to the folder in the IIS properties for the virtual folder C:\inetpub\wwwroot\mysite.svn.

I think you need to specifically grant read/write permissions to the user that PHP is running under. In my case php is running as an Apache module, so it runs under the same account. I am less familiar with your setup, however the basic idea is the same. Once you have determined what account you are running PHP under, grant it write permissions to the lock file and your problem should go away.

I DO NOT recommend disabling UAC on a production server!! EVER!!! You want to grant the smallest amount of permissions for the smallest number of users to the smallest amount of resources necessary.

DO NOT remove all of your user account security to write to a lock file!!! Instead, grant the single permission write. Not full control. Grant it to the single user who needs it (likely the local system account). Grant it for the specific file(C:\inetpub\wwwroot\mysite.svn\lock) which it needs to write to.

This approach keeps you from opening a security hole that could be exploited by the malicious!

Thanks everyone. In the end all these answers helped.

I needed to do several things:

Performed a svn cleanup
Turned of UAC if access is denied when setting permissions
The top level .svn folder needed write permissions for IIS_IUSR
All .svn folders need Read/Write permissions for the Users group. However, there's no apparent way to do this, so the permissions need to be set on the whole site directory.

After which the PHP script was able to perform an svn update command. Phew!