You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Giulio Troccoli <Gi...@uk.linedata.com> on 2008/01/16 10:25:44 UTC
Setting up repository to not allowed checkout on a directory
I know there are many posts on how to restrict access to a directory and
I'm following theirs and the SVN book advices, but still it doesn't
work.
My repository contains a directory for every version of the product we
currently support. For reasons beyond the scope of this email we do not
want anybody, but user svn, to be able to do anything, even checkout,
the latest version.
I'm using Apache 2.0 and Subversion 1.4.4 on a Linux 2.6 box.
The Subversion configuration I Apache is as follows
# Needed to do Subversion Apache server.
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
# Only Needed if you decide to do "per-directory" access control.
LoadModule authz_svn_module modules/mod_authz_svn.so
# Set the log format
CustomLog logs/subversion.log "%t %u@%h %U %{SVN-ACTION}e"
env=SVN-ACTION
<Location /svn-test>
DAV svn
SVNPath /data/TestRepositories/svn-test
# Access Control Policy
AuthzSVNAccessFile /etc/httpd/etc/svn-test.access
# How to authenticate a user
AuthType Basic
AuthName "Subversion Testing Repository"
AuthUserFile /etc/httpd/etc/passwd-svn-test
# For any operations other than these , require an authenticated user
<LimitExcept GET PROPFIND OPTIONS REPORT>
Order deny,allow
Require valid-user
</LimitExcept>
</Location>
And the access policy file is as follows
[svn-test:/]
* = rw
[svn-test:/5.02]
gtroccol =
I thought this configuration allowed all access to everybody, but
restrict gtroccol from any access to 5.02. Eventually I will make user
of the groups, but I want to make it works first.
But if I check-out svn-test as gtroccol I still have the 5.02 directory.
I had a look at the log file produced by Apache and I found this line:
[16/Jan/2008:10:05:21 +0000] -@10.112.11.47 /svn-test/!svn/vcc/default
checkout-or-export '/'
It seems that Apache doesn't know who is checking-out and therefore
treats it as an anonymous access, thus allowing the check-out for 5.02.
However, when I commit I cannot because I am not allowed:
Sending 5.02/test/uno
svn: Commit failed (details follow):
svn: CHECKOUT of '/svn-test/!svn/ver/7/5.02/test/uno': 403 Forbidden
(http://ln1sub01)
Instead, I can commit changes in the other directories
This is in a way understandable. I had a browse through the Apache log
file and the only time when a user is present is when a commit (or a
revprop-change) is done (I was able to check this for other
repositories)
[16/Jan/2008:10:16:30 +0000] gtroccol@10.112.11.47 /svn-test/5.00 commit
r25
I know this is probably an Apache question, but I wanted to check with
everyone that uses per-directory access in their repositories whether I
did something blatantly wrong in my configuration, or there is something
I'm missing and that you have learned for experience (and experimenting
maybe).
Regards,
Giulio Troccoli
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: Setting up repository to not allowed checkout on a directory
Posted by Giulio Troccoli <Gi...@uk.linedata.com>.
>
Linedata Services (UK) Ltd
Registered Office: Bishopsgate Court, 4-12 Norton Folgate, London, E1 6DB
Registered in England and Wales No 3027851 VAT Reg No 778499447
-----Original Message-----
> From: Jonathan Ashley [mailto:jonathan.ashley@praxis-his.com]
> Sent: 16 January 2008 12:08
> To: Giulio Troccoli; users@subversion.tigris.org
> Subject: RE: Setting up repository to not allowed checkout on a
directory
>
> > <Location /svn-test>
> > DAV svn
> > SVNPath /data/TestRepositories/svn-test
> >
> > # Access Control Policy
> > AuthzSVNAccessFile /etc/httpd/etc/svn-test.access
> >
> > # How to authenticate a user
> > AuthType Basic
> > AuthName "Subversion Testing Repository"
> > AuthUserFile /etc/httpd/etc/passwd-svn-test
> >
> > # For any operations other than these , require an
> > authenticated user
> > <LimitExcept GET PROPFIND OPTIONS REPORT>
> > Order deny,allow
> > Require valid-user
> > </LimitExcept>
> > </Location>
> >
> > And the access policy file is as follows
> >
> > [svn-test:/]
> > * = rw
> >
> > [svn-test:/5.02]
> > gtroccol =
> >
> > I thought this configuration allowed all access to everybody,
> > but restrict gtroccol from any access to 5.02. Eventually I
> > will make user of the groups, but I want to make it works first.
> >
> > But if I check-out svn-test as gtroccol I still have the 5.02
> > directory.
>
> I have a configuration file that works, and the main difference to
> yours is that I *don't* put LimitExcept around my 'Require valid-user'
> directive. I think you are deciding to allow completely anonymous
> users to do the operations that are needed for checkout, so maybe
> Apache never challenges for authentication in the first place?
>
> Try getting rid of it.
>
> regards,
> --
> Jon Ashley
>
Jon, that worked a treat, thank you very much. I knew it must have been
simpler than I thought.
Giulio
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: Setting up repository to not allowed checkout on a directory
Posted by Jonathan Ashley <jo...@praxis-his.com>.
> <Location /svn-test>
> DAV svn
> SVNPath /data/TestRepositories/svn-test
>
> # Access Control Policy
> AuthzSVNAccessFile /etc/httpd/etc/svn-test.access
>
> # How to authenticate a user
> AuthType Basic
> AuthName "Subversion Testing Repository"
> AuthUserFile /etc/httpd/etc/passwd-svn-test
>
> # For any operations other than these , require an
> authenticated user
> <LimitExcept GET PROPFIND OPTIONS REPORT>
> Order deny,allow
> Require valid-user
> </LimitExcept>
> </Location>
>
> And the access policy file is as follows
>
> [svn-test:/]
> * = rw
>
> [svn-test:/5.02]
> gtroccol =
>
> I thought this configuration allowed all access to everybody,
> but restrict gtroccol from any access to 5.02. Eventually I
> will make user of the groups, but I want to make it works first.
>
> But if I check-out svn-test as gtroccol I still have the 5.02
> directory.
I have a configuration file that works, and the main difference to
yours is that I *don't* put LimitExcept around my 'Require valid-user'
directive. I think you are deciding to allow completely anonymous
users to do the operations that are needed for checkout, so maybe
Apache never challenges for authentication in the first place?
Try getting rid of it.
regards,
--
Jon Ashley
This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If you have received this email in error please contact the sender. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Praxis.
Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is accepted by Praxis or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof. The IT Department at Praxis can be contacted at it.support@praxis-his.com.
Praxis High Integrity Systems Ltd:
Company Number: 3302507, registered in England and Wales
Registered Address: 20 Manvers Street, Bath. BA1 1PX
VAT Registered in Great Britain: 682635707
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org