You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Markus Werle <nu...@web.de> on 2009/08/14 15:10:33 UTC

bug w/ apache and ACLs?

Hi!

I would like to report a bug (IMHO it is one) for mod_dav_svn in conjunction with 
apache-2.2.11. Could you please confirm this behaviour?

Consider the following folder structure inside the repository in folder REPO:
    
/ROOT
  |-- Some
        |-- Folder
              |-- Stuff
              |     |-- SomeTextFile.txt
              |
              |-- Secrets
                    |-- SecretData.txt

My basic apache configuration is as follows:

--snip--
RedirectMatch ^(/svn)$ $1/

<Location /svn>
    DAV svn
    SVNParentPath D:\Somewhere
    SVNListParentPath on
    RedirectMatch 404 ^/(MSOffice/|_vti_bin/|_vti_inf.html$) 
    BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
    BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
    BrowserMatch "^WebDrive" redirect-carefully
    BrowserMatch "^WebDAVFS" redirect-carefully
    SVNAutoversioning On
    SVNReposName "Subversion Repository"
    AuthType Basic
    AuthName "Subversion Repository"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "CN=adminaccount,OU=ServiceAccounts(non-elevated),OU=Operators,DC=EXAMPLE,DC=COM"
    AuthLDAPBindPassword Password
    AuthLDAPURL "ldap://ldapserver:3268/?sAMAccountName?sub" NONE
    Order deny,allow
    Deny from all
</Location>
--snip--
                    
The goal of my Apache ACL configuration is to let user Marcel
have access to the stuff in directory "Stuff", and let other users 
have access to all the data.
So I have the following ACL configuration:

--snip--
# This here I hope to be fine, please comment
<Location ~ ^/svn/.+/!svn>    
    Satisfy Any
    Require valid-user  
</Location>
 
# Next line is the trouble line 
<Location ~ (?i)^/svn/REPO/ROOT>
    Satisfy Any
    Require ldap-group CN=SOMEGROUP,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
    Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Accounts,DC=EXAMPLE,DC=COM"
</Location>
 
<Location ~ (?i)^/svn/REPO/ROOT/Some/Folder/Stuff>
    Satisfy Any
    Require ldap-attribute distinguishedName="CN=Marcel,OU=User Accounts,DC=EXAMPLE,DC=COM"
</Location>
--snip--

Everything works as expected:
Marcel can use tortoisesvn, enter the url 
http://server/svn/REPO/ROOT/Some/Folder/Stuff
and check out/check in data as planned. 
Any other acces to the repo is rejected. Fine.

Now I change the configuration in one minor aspect:
"<Location ~ (?i)^/svn/REPO/ROOT>" is replaced by
"<Location ~ (?i)^/svn/REPO>"
and now Marcel no longer has access to 
http://server/svn/REPO/ROOT/Some/Folder/Stuff
Note that this rule does not mention Marcel at all.

This led to some headache at my place. 
To make things worse the "working" solution does not seem to scale.
Our production environment could not be "healed" by adding 
dummy access rules to second level directories.
There is some weird interaction between multiple <Location> rules,
but I cannot figure out what exactly happens and when.

Could you please check whether you can reproduce this behaviour?
Could you please explain what is going on?


best regards,

Markus
________________________________________________________________
Neu: WEB.DE Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://produkte.web.de/go/02/

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2383644

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].