You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by André Hänsel <an...@webkr.de> on 2013/02/04 20:08:59 UTC

Deny read access to a path using authz

Hi list,

I am trying to deny a user access to a certain path in an SVN repository.

According to the documentation this is done by setting the username to empty
like this:

  [calc:/branches/calc/bug-142/secret]
  harry =

In
http://grokbase.com/t/subversion/users/1019eey8h0/problem-implementing-path-
based-authorization-with-authz I found this:

  If I remember correctly, you cannot have less than
  global read permissions on the repository's root
  if you're on SVN 1.5 or later.

Maybe this is fixed in 1.7
(http://subversion.tigris.org/issues/show_bug.cgi?id=3242), still I decided
to start with read access for everyone and then to deny access to one path.

This is the configuration of my SVN vhost:

    <VirtualHost *:443>
    
      <Location />
        DAV svn
        SVNParentPath /var/repositories/
        
        AuthType Basic
        AuthName "Repositories"
        AuthUserFile /etc/apache2/passwd/rep
        Require user andre
        
        # Google: svn secure connection truncated
        SVNPathAuthz Off
      </Location>
      
      <Location /test/>
        AuthUserFile /etc/apache2/passwd/rep-test
        Require valid-user
        SVNPathAuthz On
        AuthzSVNAccessFile /etc/apache2/passwd/authz-test
      </Location>
    
    </VirtualHost>

Inside the repository https://svn/test/ there is a directory test2.

This is my current authz-test file, which is unable to stop user "andre"
from accessing the directory "test2" and its content:

    [/]
    * = rw
    
    [/test2]
    andre =
    [/test2/]
    andre =
    [test/test2]
    andre =
    [/test/test2]
    andre =
    [test/test2/]
    andre =
    [/test/test2/]
    andre =
    [test:/test/test2]
    andre =
    [test/:/test2]
    andre =
    [test:/test2/]
    andre =
    [test/:/test2/]
    andre =
    [test:test2]
    andre =
    [test/:test2]
    andre =
    [test:test2/]
    andre =
    [test/:test2/]
    andre =

When I comment the "* = rw" part, access to the repository is immediately
denied, so at least the file isn't being ignored completely. I am using
Subversion 1.7.8.

Regards,
André

Re: Deny read access to a path using authz

Posted by km...@rockwellcollins.com.

André Hänsel <an...@webkr.de> wrote on 02/04/2013 01:08:59 PM:
> I am trying to deny a user access to a certain path in an SVN 
repository.

[snip]

> This is my current authz-test file, which is unable to stop user "andre"
> from accessing the directory "test2" and its content:
> 
>     [/]
>     * = rw

If you don't need anonymous access, try:
        $authenticated = rw

>     [/test2]
>     andre =
>     [/test2/]
>     andre =
>     [test/test2]
>     andre =
>     [/test/test2]
>     andre =
>     [test/test2/]
>     andre =
>     [/test/test2/]
>     andre =
>     [test:/test/test2]
>     andre =
>     [test/:/test2]
>     andre =
>     [test:/test2/]
>     andre =
>     [test/:/test2/]
>     andre =
>     [test:test2]
>     andre =
>     [test/:test2]
>     andre =
>     [test:test2/]
>     andre =
>     [test/:test2/]
>     andre =
> 
> When I comment the "* = rw" part, access to the repository is 
immediately
> denied, so at least the file isn't being ignored completely. I am using
> Subversion 1.7.8.
> 
> Regards,
> André
>