Subversion includes Svnserve - a lightweight stand-alone server which uses a custom protocol over an ordinary TCP/IP connection. It is ideal for smaller installations, or where a full blown Apache server cannot be used.
In most cases svnserve is easier to setup and runs faster than the Apache based server, although it doesn't have some of the advanced features. And now that SASL support is included it is easy to secure as well.
Get the latest version of Subversion from http://subversion.apache.org/getting.html . Alternatively get a pre-packaged installer from CollabNet at http://www.collab.net/downloads/subversion . This installer will setup svnserve as a Windows service, and also includes some of the tools you need if you are going to use SASL for security.
If you already have a version of Subversion installed, and svnserve is running, you will need to stop it before continuing.
Run the Subversion installer. If you run the installer on your server (recommended) you can skip step 4.
Open the windows-explorer, go to the
installation directory of Subversion (usually
C:\Program Files\Subversion) and in the
bin directory, find the files
- copy these files, or just copy all of the
directory, into a directory on your server e.g.
Now that svnserve is installed, you need it running on your server. The simplest approach is to run the following from a DOS shell or create a windows shortcut:
svnserve will now start waiting for incoming requests on port 3690. The --daemon switch tells svnserve to run as a daemon process, so it will always exist until it is manually terminated.
If you have not yet created a repository, follow the instructions given with the Apache server setup the section called “Configuration”.
To test that svnserve is working, use→ to view a repository.
Assuming your repository is located in
c:\repos\TestRepo, and your server is called
when prompted by the repo browser.
You can also increase security and save time entering URLs with svnserve by using the --root switch to set the root location and restrict access to a specified directory on the server:
svnserve.exe --daemon --root drive:\path\to\repository\root
Using the previous test as a guide, svnserve would now run as:
svnserve.exe --daemon --root c:\repos
And in TortoiseSVN our repo-browser URL is now shortened to:
Note that the --root switch is also needed if your repository is located on a different partition or drive than the location of svnserve on your server.
Svnserve will service any number of repositories. Just locate them somewhere below the root folder you just defined, and access them using a URL relative to that root.
Do not create or access a Berkeley DB repository on a network share. It cannot exist on a remote filesystem. Not even if you have the network drive mapped to a drive letter. If you attempt to use Berkeley DB on a network share, the results are unpredictable - you may see mysterious errors right away, or it may be months before you discover that your repository database is subtly corrupted.
Running svnserve as a user is usually not the best way. It means always having a user logged in on your server, and remembering to restart it after a reboot. A better way is to run svnserve as a windows service. Starting with Subversion 1.4, svnserve can be installed as a native windows service.
To install svnserve as a native windows service, execute the following command all on one line to create a service which is automatically started when windows starts.
sc create svnserve binpath= "c:\svnserve\svnserve.exe --service --root c:\repos" displayname= "Subversion" depend= tcpip start= auto
If any of the paths include spaces, you have to use (escaped) quotes around the path, like this:
sc create svnserve binpath= " \"C:\Program Files\Subversion\bin\svnserve.exe\" --service --root c:\repos" displayname= "Subversion" depend= tcpip start= auto
You can also add a description after creating the service. This will show up in the Windows Services Manager.
sc description svnserve "Subversion server (svnserve)"
Note the rather unusual command line format used by
key= value pairs there must be no space between
the key and the
= but there must be a space before the
Microsoft now recommend services to be run as under either the Local Service or Network Service account. Refer to The Services and Service Accounts Security Planning Guide . To create the service under the Local Service account, append the following to the example above.
obj= "NT AUTHORITY\LocalService"
Note that you would have to give the Local Service account appropriate rights to both Subversion and your repositories, as well as any applications which are used by hook scripts. The built-in group for this is called "LOCAL SERVICE".
Once you have installed the service, you need to go to the services manager to start it (this time only; it will start automatically when the server reboots).
For more detailed information, refer to Windows Service Support for Svnserve .
If you installed an earlier version of svnserve using the
SVNService wrapper, and you now want to use
the native support instead, you will need to unregister the wrapper
as a service (remember to stop the service first!).
Simply use the command
to remove the service registry entry.
The default svnserve setup provides anonymous read-only access.
This means that you can use an
to checkout and update, or use the repo-browser in TortoiseSVN
to view the repository, but you won't be able to commit any changes.
To enable write access to a repository, you need to edit the
conf/svnserve.conf file in your repository
directory. This file controls the configuration of the
svnserve daemon, and also contains useful documentation.
You can enable anonymous write access by simply setting:
[general] anon-access = write
However, you will not know who has made changes to a repository,
svn:author property will be empty.
You will also be unable to control who makes changes to a
repository. This is a somewhat risky setup!
One way to overcome this is to create a password database:
[general] anon-access = none auth-access = write password-db = userfile
userfile is a file which exists in
the same directory as
file can live elsewhere in your file system (useful for when you
have multiple repositories which require the same access rights)
and may be referenced using an absolute path, or a path
relative to the
If you include a path, it must be written
Using \ or drive letters will not work.
userfile should have a structure of:
[users] username = password ...
This example would deny all access for unauthenticated
(anonymous) users, and give read-write access to users listed
If you maintain multiple repositories using the same password database, the use of an authentication realm will make life easier for users, as TortoiseSVN can cache your credentials so that you only have to enter them once. More information can be found in the Subversion book, specifically in the sections Create a 'users' file and realm and Client Credentials Caching
The Cyrus Simple Authentication and Security Layer is open source software written by Carnegie Mellon University. It adds generic authentication and encryption capabilities to any network protocol, and as of Subversion 1.5 and later, both the svnserve server and TortoiseSVN client know how to make use of this library.
For a more complete discussion of the options available, you should look at the Subversion book in the section Using svnserve with SASL . If you are just looking for a simple way to set up secure authentication and encryption on a Windows server, so that your repository can be accessed safely over the big bad Internet, read on.
To activate specific SASL mechanisms on the server, you'll
need to do three things. First, create a
section in your repository's
file, with this key-value pair:
use-sasl = true
Second, create a file called
svn.conf in a
convenient location - typically in the directory where subversion
Thirdly, create two new registry entries to tell SASL where to
find things. Create a registry key named
[HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL Library]
and place two new string values inside it:
SearchPath set to the directory path containing
sasl*.dll plug-ins (normally in the
Subversion install directory), and
to the directory containing the
If you used the CollabNet installer, these registry keys will already
have been created for you.
svn.conf file to contain the following:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: DIGEST-MD5 sasldb_path: C:\TortoiseSVN\sasldb
The last line shows the location of the authentication database,
which is a file called
This could go anywhere, but a convenient choice is the repository
parent path. Make sure that the svnserve service has read access
to this file.
If svnserve was already running, you will need to restart it to ensure it reads the updated configuration.
Now that everything is set up, all you need to do is create some
users and passwords. To do this you need the
saslpasswd2 program. If you used the CollabNet
installer, that program will be in the install directory.
Use a command something like this:
saslpasswd2 -c -f C:\TortoiseSVN\sasldb -u realm username
-f switch gives the database location,
realm must be the same as the value you
defined in your repository's
file, and username is exactly what you expect it to be.
Note that the realm is not allowed to contain space characters.
You can list the usernames stored in the database using the
To enable or disable different levels of encryption, you can
set two values in your repository's
[sasl] use-sasl = true min-encryption = 128 max-encryption = 256
max-encryption variables control the
level of encryption demanded by the server. To disable
encryption completely, set both values to 0. To enable
simple checksumming of data (i.e., prevent tampering and
guarantee data integrity without encryption), set both
values to 1. If you wish to allow (but not require) encryption,
set the minimum value to 0, and the maximum value to some
bit-length. To require encryption unconditionally, set both
values to numbers greater than 1. In our previous example,
we require clients to do at least 128-bit encryption,
but no more than 256-bit encryption.
Another way to authenticate users with a svnserve based server is to use a secure shell (SSH) to tunnel requests through. It is not as simple to set up as SASL, but it may be useful is some cases.
With this approach, svnserve is not run as a daemon process, rather, the secure shell starts svnserve for you, running it as the SSH authenticated user. To enable this, you need a secure shell daemon on your server.
A basic method for setting up your server is given in Appendix G, Securing Svnserve using SSH. You can find other SSH topics within the FAQ by searching for “SSH”.
Further information about svnserve can be found in the Version Control with Subversion .
Starting with Subversion 1.3, svnserve supports the same
mod_authz_svn path-based authorization scheme
that is available with the Apache server. You need to edit the
conf/svnserve.conf file in your repository
directory and add a line referring to your authorization file.
[general] authz-db = authz
authz is a file you create to define
the access permissions. You can use a separate file for each
repository, or you can use the same file for several repositories.
Read the section called “Path-Based Authorization”
for a description of the file format.