6.5 svn

Remote access to SVN repositories is done via svnserve binary. It is executed on server with -t option. The -r option can be used to restrict access to a subset of root directories. So, we can use the following rule:

rule svn
  command ^svnserve -t
  transform s|-r *[^ ]*||;s|^svnserve |/usr/bin/svnserve -r /svnroot|

The transform action removes any -r options the user might have specified and enforces a single root directory. A more restrictive action can be used to improve security:

  transform s|.*|/usr/bin/svnserve -r /svnroot|