You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jeff Mitchell <je...@gmail.com> on 2008/03/14 17:16:25 UTC
Overzealous asterisk in AuthzSVNAccessFile
I'm running into a problem trying to give permissions to everyone to
read-write the entire repository except for a single directory that I
want to only have specific users able to access (read or write).
My configuration file looks like this:
[groups]
allowed = tom dick harry
[/]
* = rw
[/projects/keepout]
@allowed = rw
* =
However, that keeps everyone, including people in the allowed group,
from being able to access that path. If I remove the "* =" then
everyone can access the path. I would think that the more specific
group permissions would override the * but that doesn't seem to be the
case.
The allowed list is fairly static; the rest of our user database is
quite dynamic. Unfortunately, given my experience so far, the only
way I can think of how to work around this is to put all the other
usernames (over a hundred) in a second group, and keep that updated
separately from the rest of our authentication system. Not a great
workaround.
Am I totally missing something here, or is the asterisk being overzealous?
Thanks,
Jeff
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Overzealous asterisk in AuthzSVNAccessFile
Posted by Mark Reibert <sv...@reibert.com>.
For what it is worth, I can reproduce this problem using SVN 1.4.6 and
svn://, which is weird since I used to do stuff like this all the time
and it worked (with groups) as expected. But that was with Subversion
1.3.x ... I wonder if this behavior is a more recent regression.
You may want to post to the dev list in the hopes the problem will get
more visibility.
On Fri, 2008-03-14 at 13:16 -0400, Jeff Mitchell wrote:
> I'm running into a problem trying to give permissions to everyone to
> read-write the entire repository except for a single directory that I
> want to only have specific users able to access (read or write).
>
> My configuration file looks like this:
>
> [groups]
> allowed = tom dick harry
>
> [/]
> * = rw
>
> [/projects/keepout]
> @allowed = rw
> * =
>
> However, that keeps everyone, including people in the allowed group,
> from being able to access that path. If I remove the "* =" then
> everyone can access the path. I would think that the more specific
> group permissions would override the * but that doesn't seem to be the
> case.
>
> The allowed list is fairly static; the rest of our user database is
> quite dynamic. Unfortunately, given my experience so far, the only
> way I can think of how to work around this is to put all the other
> usernames (over a hundred) in a second group, and keep that updated
> separately from the rest of our authentication system. Not a great
> workaround.
>
> Am I totally missing something here, or is the asterisk being overzealous?
>
> Thanks,
> Jeff
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
--
----------------------
Mark S. Reibert, Ph.D.
svn@reibert.com
----------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Overzealous asterisk in AuthzSVNAccessFile
Posted by Jeff Mitchell <je...@gmail.com>.
I did actually try flipping the order (what I posted was actually the
result of that flip...I figured order mattered, so I tried it your way
first). No dice.
--Jeff
On Fri, Mar 14, 2008 at 1:20 PM, Luke Imhoff <lu...@cray.com> wrote:
> Did you try flipping the order? If I recall correctly order matters, so
> do
>
>
> [/]
> * = rw
>
> [/projects/keepout]
> * =
> @allowed = rw
>
>
>
>
> On Fri, 2008-03-14 at 13:16 -0400, Jeff Mitchell wrote:
> > I'm running into a problem trying to give permissions to everyone to
> > read-write the entire repository except for a single directory that I
> > want to only have specific users able to access (read or write).
> >
> > My configuration file looks like this:
> >
> > [groups]
> > allowed = tom dick harry
> >
> > [/]
> > * = rw
> >
> > [/projects/keepout]
> > @allowed = rw
> > * =
> >
> > However, that keeps everyone, including people in the allowed group,
> > from being able to access that path. If I remove the "* =" then
> > everyone can access the path. I would think that the more specific
> > group permissions would override the * but that doesn't seem to be the
> > case.
> >
> > The allowed list is fairly static; the rest of our user database is
> > quite dynamic. Unfortunately, given my experience so far, the only
> > way I can think of how to work around this is to put all the other
> > usernames (over a hundred) in a second group, and keep that updated
> > separately from the rest of our authentication system. Not a great
> > workaround.
> >
> > Am I totally missing something here, or is the asterisk being overzealous?
> >
> > Thanks,
> > Jeff
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Overzealous asterisk in AuthzSVNAccessFile
Posted by Luke Imhoff <lu...@cray.com>.
Did you try flipping the order? If I recall correctly order matters, so
do
[/]
* = rw
[/projects/keepout]
* =
@allowed = rw
On Fri, 2008-03-14 at 13:16 -0400, Jeff Mitchell wrote:
> I'm running into a problem trying to give permissions to everyone to
> read-write the entire repository except for a single directory that I
> want to only have specific users able to access (read or write).
>
> My configuration file looks like this:
>
> [groups]
> allowed = tom dick harry
>
> [/]
> * = rw
>
> [/projects/keepout]
> @allowed = rw
> * =
>
> However, that keeps everyone, including people in the allowed group,
> from being able to access that path. If I remove the "* =" then
> everyone can access the path. I would think that the more specific
> group permissions would override the * but that doesn't seem to be the
> case.
>
> The allowed list is fairly static; the rest of our user database is
> quite dynamic. Unfortunately, given my experience so far, the only
> way I can think of how to work around this is to put all the other
> usernames (over a hundred) in a second group, and keep that updated
> separately from the rest of our authentication system. Not a great
> workaround.
>
> Am I totally missing something here, or is the asterisk being overzealous?
>
> Thanks,
> Jeff
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Overzealous asterisk in AuthzSVNAccessFile
Posted by Jeff Mitchell <je...@gmail.com>.
On Fri, Mar 14, 2008 at 1:25 PM, <da...@jpmorgan.com> wrote:
> Hi Jeff,
>
> I think this is similar to the issue I previously raised and have raised
> as a defect in:
> http://subversion.tigris.org/issues/show_bug.cgi?id=2907
David,
Thanks, I've added my voice to the issue. One thing I just found out:
this problem only applies to groups. Adding those specific users as
separate lines will make things behave as they should...but it's not
an ideal solution.
--Jeff
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Overzealous asterisk in AuthzSVNAccessFile
Posted by da...@jpmorgan.com.
Hi Jeff,
I think this is similar to the issue I previously raised and have raised
as a defect in:
http://subversion.tigris.org/issues/show_bug.cgi?id=2907
Regards,
David.
--
David Grierson
JPMorgan - IB Architecture - Source Code Management Consultant
GDP 228-5574 / DDI +44 141 228 5574 / Email david.x.grierson@jpmorgan.com
Alhambra House 6th floor, 45 Waterloo Street, Glasgow G2 6HS
"Jeff Mitchell" <je...@gmail.com>
14/03/2008 17:16
To
users@subversion.tigris.org
cc
Subject
Overzealous asterisk in AuthzSVNAccessFile
I'm running into a problem trying to give permissions to everyone to
read-write the entire repository except for a single directory that I
want to only have specific users able to access (read or write).
My configuration file looks like this:
[groups]
allowed = tom dick harry
[/]
* = rw
[/projects/keepout]
@allowed = rw
* =
However, that keeps everyone, including people in the allowed group,
from being able to access that path. If I remove the "* =" then
everyone can access the path. I would think that the more specific
group permissions would override the * but that doesn't seem to be the
case.
The allowed list is fairly static; the rest of our user database is
quite dynamic. Unfortunately, given my experience so far, the only
way I can think of how to work around this is to put all the other
usernames (over a hundred) in a second group, and keep that updated
separately from the rest of our authentication system. Not a great
workaround.
Am I totally missing something here, or is the asterisk being overzealous?
Thanks,
Jeff
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Generally, this communication is for informational purposes only
and it is not intended as an offer or solicitation for the purchase
or sale of any financial instrument or as an official confirmation
of any transaction. In the event you are receiving the offering
materials attached below related to your interest in hedge funds or
private equity, this communication may be intended as an offer or
solicitation for the purchase or sale of such fund(s). All market
prices, data and other information are not warranted as to
completeness or accuracy and are subject to change without notice.
Any comments or statements made herein do not necessarily reflect
those of JPMorgan Chase & Co., its subsidiaries and affiliates.
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
Please refer to http://www.jpmorgan.com/pages/disclosures for
disclosures relating to UK legal entities.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org