You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Melanie Pfefer <me...@yahoo.co.uk> on 2009/09/02 13:10:12 UTC
RE: secure svn
Hi
I am still stuck in this and I appreciate your help.
When I start using th restrictions, the behavior is unpredicatable:
Either I get forbidden
or the access is for everybody without requiring a username/password
I appreciate if you can shed some light on how to use the ACL file
thank you
--- On Sat, 29/8/09, Melanie Pfefer <me...@yahoo.co.uk> wrote:
> From: Melanie Pfefer <me...@yahoo.co.uk>
> Subject: RE: secure svn
> To: users@subversion.tigris.org
> Date: Saturday, 29 August, 2009, 1:14 PM
> Hi
>
> Is it the correct syntax to write in the acl file?
>
> [groups]
> gp1 = user1,user2
> [XYZ:/ABC/123]
> @gp1 = rw
>
> Once I apply this acl, noone can access ABC/ (error 403 in
> apache)
>
> thanks for any hint
>
>
> --- On Fri, 28/8/09, Bob Archer <Bo...@amsi.com>
> wrote:
>
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: secure svn
> > To: "Melanie Pfefer" <me...@yahoo.co.uk>,
> "users@subversion.tigris.org"
> <us...@subversion.tigris.org>
> > Date: Friday, 28 August, 2009, 5:15 PM
> > > Can you please help me out in
> > this issue?
> > > Actually I want to know how to restrict access to
> a
> > subfolder using svn
> > > acl file
> >
> > It would probably be best if you read the book on
> this. If
> > you need help you can ask more specific questions.
> >
> > http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.pathbasedauthz
> >
> > BOb
> >
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2388486
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390184
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: secure svn
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, Melanie Pfefer!
>> > I managed to secure a repo.
>>
>> > Is there a way to audit who accessed this repo?
>>
>> > Should I look into apache logs or svn can do this?
>>
>> If you're serving SVN out of Apache - configure Apache to
>> log SVN actions
>> separately.
> Now I am securing svn access using AuthzSVNAccessFile
> However, nothing prevents user from installing another apache server and access svn files.
> Nothing also prevents accessing svn files using file://
> Can you please give me some hints on how to further sevure svn
WHAT? WAIT, WHAAAT???????????
What you are explaining is just not possible, unless you have your server
opened for everyone with superadmin rights. Please hire a system
administrator, if you can't configure your servers yourself.
Also, please stop top-posting.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 16.09.2009, <21:59>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2395669
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: secure svn
Posted by Bogdan Cristea <cr...@gmail.com>.
On Wednesday 16 September 2009 17:51:45 you wrote:
> However, nothing prevents user from installing another apache server and
> access svn files. Nothing also prevents accessing svn files using file://
>
> Can you please give me some hints on how to further sevure svn
>
Create a svnadmin account on the server at let only that account to have
access to svn files
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2395599
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: secure svn
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi
Now I am securing svn access using AuthzSVNAccessFile
However, nothing prevents user from installing another apache server and access svn files.
Nothing also prevents accessing svn files using file://
Can you please give me some hints on how to further sevure svn
thank you
--- On Sat, 5/9/09, Andrey Repin <an...@freemail.ru> wrote:
> From: Andrey Repin <an...@freemail.ru>
> Subject: Re: secure svn
> To: "Melanie Pfefer" <me...@yahoo.co.uk>, users@subversion.tigris.org
> Date: Saturday, 5 September, 2009, 2:19 PM
> Greetings, Melanie Pfefer!
>
> > I managed to secure a repo.
>
> > Is there a way to audit who accessed this repo?
>
> > Should I look into apache logs or svn can do this?
>
> If you're serving SVN out of Apache - configure Apache to
> log SVN actions
> separately.
>
>
> --
> WBR,
> Andrey Repin (anrdaemon@freemail.ru)
> 05.09.2009, <15:18>
>
> Sorry for my terrible english...
>
> ------------------------------------------------------
> http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2391269
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2395596
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
Re: secure svn
Posted by Andrey Repin <an...@freemail.ru>.
Greetings, Melanie Pfefer!
> I managed to secure a repo.
> Is there a way to audit who accessed this repo?
> Should I look into apache logs or svn can do this?
If you're serving SVN out of Apache - configure Apache to log SVN actions
separately.
--
WBR,
Andrey Repin (anrdaemon@freemail.ru) 05.09.2009, <15:18>
Sorry for my terrible english...
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2391269
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: secure svn
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi
I managed to secure a repo.
Is there a way to audit who accessed this repo?
Should I look into apache logs or svn can do this?
thanks
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2391259
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: secure svn
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi,
Here it is
<Location /svn/XYZ/ABC/>
DAV svn
SVNParentPath ...
Options FollowSymLinks
AuthBasicProvider ldap
AuthLDAPUrl ...
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
AuthType Basic
AuthName "Please enter your credentials"
AuthzSVNAccessFile /usr/local/apache/acl.conf
....
</Location>
thanks
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390326
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: secure svn
Posted by Bob Archer <bo...@amsi.com>.
>
> Hi,
>
> How do you have your svn configured?
> Is there a specific command you need? Here is the ldd output:
> libsvn_client-1.so.0 => /usr/local/lib/libsvn_client-1.so.0
>
> Have you turned of non-authenticated access?
> No but how to make sure?
> What you say "the access is for everybody" do you mean read or write
> access?
> access via a browser so it should be read
I really meant the configuration file that specifies your authentication methods. I know with svnserve you use the svnserve.config file in the repository. I think with apache this configuration is done in the httpd.conf file.
Do you have Require valid-user in your <Location> section? For example. If not, then you are allowing non-authenticated access.
The doc on this is here: http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.httpd.authz
BOb
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390299
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: secure svn
Posted by Melanie Pfefer <me...@yahoo.co.uk>.
Hi,
How do you have your svn configured?
Is there a specific command you need? Here is the ldd output:
libsvn_client-1.so.0 => /usr/local/lib/libsvn_client-1.so.0
libsvn_wc-1.so.0 => /usr/local/lib/libsvn_wc-1.so.0
libsvn_ra-1.so.0 => /usr/local/lib/libsvn_ra-1.so.0
libsvn_diff-1.so.0 => /usr/local/lib/libsvn_diff-1.so.0
libsvn_ra_local-1.so.0 => /usr/local/lib/libsvn_ra_local-1..so.0
libsvn_repos-1.so.0 => /usr/local/lib/libsvn_repos-1.so.0
libsvn_fs-1.so.0 => /usr/local/lib/libsvn_fs-1.so.0
libsvn_fs_fs-1.so.0 => /usr/local/lib/libsvn_fs_fs-1.so.0
libsvn_ra_svn-1.so.0 => /usr/local/lib/libsvn_ra_svn-1.so.0
libsvn_ra_dav-1.so.0 => /usr/local/lib/libsvn_ra_dav-1.so.0
libsvn_delta-1.so.0 => /usr/local/lib/libsvn_delta-1.so.0
libsvn_subr-1.so.0 => /usr/local/lib/libsvn_subr-1.so.0
libaprutil-1.so.0 => /usr/local/apache2/lib/libaprutil-1.so.0
libldap-2.4.so.2 => /usr/local/lib/libldap-2.4.so.2
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2
libdl.so.1 => /lib/libdl.so.1
liblber-2.4.so.2 => /usr/local/lib/liblber-2.4.so.2
libresolv.so.2 => /lib/libresolv.so.2
libgen.so.1 => /lib/libgen.so.1
libiconv.so.2 => /usr/local/lib/libiconv.so.2
libapr-1.so.0 => /usr/local/apache2/lib/libapr-1.so.0
libuuid.so.1 => /lib/libuuid.so.1
libsendfile.so.1 => /lib/libsendfile.so.1
librt.so.1 => /lib/librt.so.1
libpthread.so.1 => /lib/libpthread.so.1
libneon.so.25 => /usr/local/lib/libneon.so.25
libssl.so.0.9.8 => (file not found)
libcrypto.so.0.9.8 => (file not found)
libnsl.so.1 => /lib/libnsl.so.1
libexpat.so.1 => /usr/local/lib/libexpat.so.1
libsocket.so.1 => /lib/libsocket.so.1
libz.so.1 => /usr/lib/libz.so.1
libc.so.1 => /lib/libc.so.1
libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1
libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
libaio.so.1 => /lib/libaio.so.1
libmd5.so.1 => /lib/libmd5.so.1
libexpat.so.0 => /usr/local/lib/libexpat.so.0
libmp.so.2 => /lib/libmp.so.2
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libm.so.2 => /lib/libm.so.2
Have you turned of non-authenticated access?
No but how to make sure?
What you say "the access is for everybody" do you mean read or write access?
access via a browser so it should be read
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390271
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].
RE: secure svn
Posted by Bob Archer <bo...@amsi.com>.
> --- On Sat, 29/8/09, Melanie Pfefer <me...@yahoo.co.uk> wrote:
>
> > From: Melanie Pfefer <me...@yahoo.co.uk>
> > Subject: RE: secure svn
> > To: users@subversion.tigris.org
> > Date: Saturday, 29 August, 2009, 1:14 PM
> > Hi
> >
> > Is it the correct syntax to write in the acl file?
> >
> > [groups]
> > gp1 = user1,user2
> > [XYZ:/ABC/123]
> > @gp1 = rw
> >
> > Once I apply this acl, noone can access ABC/ (error 403 in
> > apache)
> >
> > thanks for any hint
> >
> >
> > --- On Fri, 28/8/09, Bob Archer <Bo...@amsi.com>
> > wrote:
> >
> > > From: Bob Archer <Bo...@amsi.com>
> > > Subject: RE: secure svn
> > > To: "Melanie Pfefer" <me...@yahoo.co.uk>,
> > "users@subversion.tigris.org"
> > <us...@subversion.tigris.org>
> > > Date: Friday, 28 August, 2009, 5:15 PM
> > > > Can you please help me out in
> > > this issue?
> > > > Actually I want to know how to restrict access to
> > a
> > > subfolder using svn
> > > > acl file
> > >
> > > It would probably be best if you read the book on
> > this. If
> > > you need help you can ask more specific questions.
> > >
> > > http://svnbook.red-bean.com/nightly/en/svn-
> book.html#svn.serverconfig.pathbasedauthz
> > >
> I am still stuck in this and I appreciate your help.
>
> When I start using th restrictions, the behavior is unpredicatable:
>
> Either I get forbidden
> or the access is for everybody without requiring a username/password
How do you have your svn configured? Have you turned of non-authenticated access? What you say "the access is for everybody" do you mean read or write access?
(BTW: You seem to get more help if you don't top post. It bothers alot of people on this list.)
BOb
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390246
To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].