You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jon Scott Stevens <jo...@latchkey.com> on 2006/03/17 02:43:02 UTC

authz and hiding directories that have read access disabled.

I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5. Here's my  
authz:

[groups]
admin = jon

[/]
* = r
@admin = rw

[/acl]
* =
@admin = rw

I would expect that when I browse the repo via my http web browser  
(not authenticated), that the /acl directory would not even get  
listed in the output (because of the '* ='), but it does. Note, when  
I try to view the repo, I am properly asked for auth information.

I kind of consider this a minor security hole in that svn is exposing  
the name of a directory which really should not be available  
publicly. Security through obscurity!

By the way, when I browse the same repo using my install of the  
latest version of Trac, it's smart enough to not list the /acl  
directory until I authenticate as jon.

thanks,

jon


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: authz and hiding directories that have read access disabled.

Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
On 3/22/06, Jon Scott Stevens <jo...@latchkey.com> wrote:
> What if I want to change the behavior of the source code (or allow an
> option to do that)?
>
> Which files should I be looking in? I'm not a C expert (more Java/
> PHP)... I dug around in repos.c and mod_authz_svn.c, but I'm not
> really finding the right places...

As Lieven said, it intentionally follows the Unix-style perms structure.

However, if you want to prevent it from being returned in the
autoindex-style case, start with mod_dav_svn/repos.c:dav_svn_deliver. 
Alterations there would prevent it from being returned with just
browsing.  However, their directory names would still be returned as
'absent' in the internal WebDAV calls that the client would see -
removing it from there would require more work.

Feel free to knock yourself out...  =)  -- justin

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: authz and hiding directories that have read access disabled.

Posted by Jon Scott Stevens <jo...@latchkey.com>.
What if I want to change the behavior of the source code (or allow an  
option to do that)?

Which files should I be looking in? I'm not a C expert (more Java/ 
PHP)... I dug around in repos.c and mod_authz_svn.c, but I'm not  
really finding the right places...

thx,

jon

On Mar 21, 2006, at 9:45 AM, Lieven Govaerts wrote:

> Path-based authz is modeled after Unix folder restrictions. A path on
> which you don't have read-access is still visible, that's correct
> behaviour.
>
> I'd then consider the behaviour in Trac a bug, or atleast very  
> confusing.
>
> If you want to hide folders, just add an extra read-only folder in
> between.
>
> Lieven.
>
>> -----Original Message-----
>> From: Jon Scott Stevens [mailto:jon@latchkey.com]
>> Sent: dinsdag 21 maart 2006 18:17
>> To: Subversion Users
>> Subject: Fwd: authz and hiding directories that have read
>> access disabled.
>>
>> Trying once more. Didn't get a response last time. Maybe I
>> need to phrase the issue differently?
>>
>> Read the FAQ. Searched the bug database. Nothing I have seen
>> covers this.
>>
>> jon
>>
>> Begin forwarded message:
>>
>>> From: Jon Scott Stevens <jo...@latchkey.com>
>>> Date: March 16, 2006 6:43:02 PM PST
>>> To: Subversion Users <us...@subversion.tigris.org>
>>> Subject: authz and hiding directories that have read access
>> disabled.
>>>
>>> I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5.
>> Here's my
>>> authz:
>>>
>>> [groups]
>>> admin = jon
>>>
>>> [/]
>>> * = r
>>> @admin = rw
>>>
>>> [/acl]
>>> * =
>>> @admin = rw
>>>
>>> I would expect that when I browse the repo via my http web browser
>>> (not authenticated), that the /acl directory would not even
>> get listed
>>> in the output (because of the '* ='), but it does. Note,
>> when I try to
>>> view the repo, I am properly asked for auth information.
>>>
>>> I kind of consider this a minor security hole in that svn
>> is exposing
>>> the name of a directory which really should not be
>> available publicly.
>>> Security through obscurity!
>>>
>>> By the way, when I browse the same repo using my install of
>> the latest
>>> version of Trac, it's smart enough to not list the /acl directory
>>> until I authenticate as jon.
>>>
>>> thanks,
>>>
>>> jon
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>>> For additional commands, e-mail: users-help@subversion.tigris.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: authz and hiding directories that have read access disabled.

Posted by Ryan Schmidt <su...@ryandesign.com>.
On Mar 21, 2006, at 18:45, Lieven Govaerts wrote:

> Path-based authz is modeled after Unix folder restrictions. A path on
> which you don't have read-access is still visible, that's correct
> behaviour.

But FWIW, Apache implements different behavior. If you have directory  
listings turned on, and you have a directory which contains  
an .htaccess file, and that .htaccess file forbids you access to the  
directory contents, then the directory doesn't show up in its  
parent's directory listing.

Admittedly I wasn't expecting that behavior and it threw me for a  
loop when I first observed it. But there it is.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

RE: authz and hiding directories that have read access disabled.

Posted by Lieven Govaerts <lg...@mobsol.be>.
Path-based authz is modeled after Unix folder restrictions. A path on 
which you don't have read-access is still visible, that's correct 
behaviour. 

I'd then consider the behaviour in Trac a bug, or atleast very confusing.

If you want to hide folders, just add an extra read-only folder in 
between. 

Lieven.

> -----Original Message-----
> From: Jon Scott Stevens [mailto:jon@latchkey.com] 
> Sent: dinsdag 21 maart 2006 18:17
> To: Subversion Users
> Subject: Fwd: authz and hiding directories that have read 
> access disabled.
> 
> Trying once more. Didn't get a response last time. Maybe I 
> need to phrase the issue differently?
> 
> Read the FAQ. Searched the bug database. Nothing I have seen 
> covers this.
> 
> jon
> 
> Begin forwarded message:
> 
> > From: Jon Scott Stevens <jo...@latchkey.com>
> > Date: March 16, 2006 6:43:02 PM PST
> > To: Subversion Users <us...@subversion.tigris.org>
> > Subject: authz and hiding directories that have read access 
> disabled.
> >
> > I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5. 
> Here's my 
> > authz:
> >
> > [groups]
> > admin = jon
> >
> > [/]
> > * = r
> > @admin = rw
> >
> > [/acl]
> > * =
> > @admin = rw
> >
> > I would expect that when I browse the repo via my http web browser 
> > (not authenticated), that the /acl directory would not even 
> get listed 
> > in the output (because of the '* ='), but it does. Note, 
> when I try to 
> > view the repo, I am properly asked for auth information.
> >
> > I kind of consider this a minor security hole in that svn 
> is exposing 
> > the name of a directory which really should not be 
> available publicly. 
> > Security through obscurity!
> >
> > By the way, when I browse the same repo using my install of 
> the latest 
> > version of Trac, it's smart enough to not list the /acl directory 
> > until I authenticate as jon.
> >
> > thanks,
> >
> > jon
> >
> >
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Fwd: authz and hiding directories that have read access disabled.

Posted by Jon Scott Stevens <jo...@latchkey.com>.
Trying once more. Didn't get a response last time. Maybe I need to  
phrase the issue differently?

Read the FAQ. Searched the bug database. Nothing I have seen covers  
this.

jon

Begin forwarded message:

> From: Jon Scott Stevens <jo...@latchkey.com>
> Date: March 16, 2006 6:43:02 PM PST
> To: Subversion Users <us...@subversion.tigris.org>
> Subject: authz and hiding directories that have read access disabled.
>
> I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5. Here's  
> my authz:
>
> [groups]
> admin = jon
>
> [/]
> * = r
> @admin = rw
>
> [/acl]
> * =
> @admin = rw
>
> I would expect that when I browse the repo via my http web browser  
> (not authenticated), that the /acl directory would not even get  
> listed in the output (because of the '* ='), but it does. Note,  
> when I try to view the repo, I am properly asked for auth information.
>
> I kind of consider this a minor security hole in that svn is  
> exposing the name of a directory which really should not be  
> available publicly. Security through obscurity!
>
> By the way, when I browse the same repo using my install of the  
> latest version of Trac, it's smart enough to not list the /acl  
> directory until I authenticate as jon.
>
> thanks,
>
> jon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org