You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Alec Thomas <su...@swapoff.org> on 2004/09/03 16:42:03 UTC
[PATCH] svnserve per-user read/write access control
Hello,
Please consider this patch for inclusion. It implements per-user access
control for svnserve. Access is specified in an [auth] section of the
svnserve.conf file.
An example svnserve.conf might look like this:
[general]
# Default to read access for both authenticated and unauthenticated
# users.
anon-access = read
auth-access = read
password-db = /svn/conf/global-passwd
[auth]
# Let athomas have write access to the repository.
athomas = write
# Deny gchristian access to the repository.
gchristian = none
I'm not sure what the policy is on configuration sections, but reusing
SVN_CONFIG_SECTION_AUTH seemed appropriate.
Thanks,
Alec
[[[
* subversion/svnserve/serve.c
(get_access): Extra permission check against entries in the [auth]
section in svnserve.conf. Users are listed in the form user =
permission which overrides the defaults specified by anon-access and
auth-access.
]]]
--
Evolution: Taking care of those too stupid to take care of themselves.
Re: [PATCH] svnserve per-user read/write access control
Posted by Atanas Raykov <na...@unixsol.org>.
> However, I think we should be putting serious effort into re-using the
> mod_authz_svn access file format.
>
> Make *that* a seperate file.
Then do it. Do it!!! Watcha waitin' for? ;-)
Still, a pretty neat feature, i'll probably download the latest source
code, compile it and give premission to some folks to read the code (not
comitting anything of cource).
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] svnserve per-user read/write access control
Posted by Alec Thomas <su...@swapoff.org>.
Hi Max,
On Sat, Sep 04, 2004 at 08:06:49PM +0100, Max Bowsher wrote:
> However, admins may want to edit the auth config, which is far less
> sensitive, on a terminal where they cannot be 100% sure no one is looking
> over their shoulder.
The primary reason I chose not to place the access control in the
password file was so that the password file could be shared between
multiple repositories while still allowing access control to be
controlled per-repository.
> However, I think we should be putting serious effort into re-using the
> mod_authz_svn access file format.
After a quick perusal of the mod_authz_svn documentation, it seems that
this would be a fairly large change. At the moment the svnserve access
control system has no concept of per-path permissions. This in itself
seems like it would be a signficant amount of work to implement.
Alec
--
Evolution: Taking care of those too stupid to take care of themselves.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] svnserve per-user read/write access control
Posted by Max Bowsher <ma...@ukf.net>.
Atanas Raykov wrote:
>> An example svnserve.conf might look like this:
>>
>> [general]
>> # Default to read access for both authenticated and unauthenticated
>> # users.
>> anon-access = read
>> auth-access = read
>> password-db = /svn/conf/global-passwd
>>
>> [auth]
>> # Let athomas have write access to the repository.
>> athomas = write
>> # Deny gchristian access to the repository.
>> gchristian = none
>>
>>
> Just a quick thought here. It's pretty neat to have such a feature, but
> I have some security issues. If somehow, somebody is able to steal
> svnserve.conf, he'll see only the server configuration and the location
> on password-db, but won't see any username or password. With this patch,
> he'll be able to see an username and try to access the repository by
> guessing it's password (we're talking about the case anon-access = none
> and auth-access = write). Is it possible to move the [auth] part in the
> password-db file?
BAD IDEA.
The password-db contains highly sensitive info. (passwords)
However, admins may want to edit the auth config, which is far less
sensitive, on a terminal where they cannot be 100% sure no one is looking
over their shoulder.
However, I think we should be putting serious effort into re-using the
mod_authz_svn access file format.
Make *that* a seperate file.
Max.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] svnserve per-user read/write access control
Posted by Atanas Raykov <na...@unixsol.org>.
>An example svnserve.conf might look like this:
>
> [general]
> # Default to read access for both authenticated and unauthenticated
> # users.
> anon-access = read
> auth-access = read
> password-db = /svn/conf/global-passwd
>
> [auth]
> # Let athomas have write access to the repository.
> athomas = write
> # Deny gchristian access to the repository.
> gchristian = none
>
>
Just a quick thought here. It's pretty neat to have such a feature, but
I have some security issues. If somehow, somebody is able to steal
svnserve.conf, he'll see only the server configuration and the location
on password-db, but won't see any username or password. With this patch,
he'll be able to see an username and try to access the repository by
guessing it's password (we're talking about the case anon-access = none
and auth-access = write). Is it possible to move the [auth] part in the
password-db file?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] svnserve per-user read/write access control
Posted by Alec Thomas <su...@swapoff.org>.
On Tue, Sep 07, 2004 at 12:14:28PM -0400, Greg Hudson wrote:
> Hm. While cleaning up the patch I noticed a couple more nits (wrong
> indentation style, and you could have grabbed the per-user default
> before computing result) and, unfortunately, a design problem:
> svnserve calls get_access() in several places to find out what access
> the client connection *would* have given that it is authenticated or
> unauthenticated: in send_mechs() to determine what mechanisms to
> present, in auth() to determine what mechanisms to recognize, in
> must_have_write_access() to determine if authenticating would grant
> write access, and in find_repos() to determine whether to reject all
> connections to the repository. If the level of access depends on
> *which* user the connection authenticates as, then we need a way of
> answering the question, "what's the maximum level of access any user
> could get by authenticating?" That's clearly not a five-line change any
> more.
Hmmm, yes, I see what you are saying. The reason I had never encountered
this is that all my Subversion instances run over svn+ssh where the user
is already known. In this situation it works quite well, but I should
have more thoroughly tested it under different scenarios.
As the patch is likely to be superseded by path-based access control, I
won't attempt to modify svnserve any further and I'm happy to continue
applying this patch to my local builds to give my fine control over
svn+ssh access.
Alec
--
Evolution: Taking care of those too stupid to take care of themselves.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] svnserve per-user read/write access control
Posted by Greg Hudson <gh...@MIT.EDU>.
On Tue, 2004-09-07 at 12:00, Greg Hudson wrote:
> This patch looks pretty good. There are a couple of nits (patches
> should ideally come with log messages--see HACKING--and shouldn't use
> tabs for indentation), but I'll take care of them.
Hm. While cleaning up the patch I noticed a couple more nits (wrong
indentation style, and you could have grabbed the per-user default
before computing result) and, unfortunately, a design problem:
svnserve calls get_access() in several places to find out what access
the client connection *would* have given that it is authenticated or
unauthenticated: in send_mechs() to determine what mechanisms to
present, in auth() to determine what mechanisms to recognize, in
must_have_write_access() to determine if authenticating would grant
write access, and in find_repos() to determine whether to reject all
connections to the repository. If the level of access depends on
*which* user the connection authenticates as, then we need a way of
answering the question, "what's the maximum level of access any user
could get by authenticating?" That's clearly not a five-line change any
more.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] svnserve per-user read/write access control
Posted by Greg Hudson <gh...@MIT.EDU>.
On Sat, 2004-09-04 at 03:41, Alec Thomas wrote:
> I have attached a revised patch with the changes to both the man page
> and libsvn_repos/repos.c.
This patch looks pretty good. There are a couple of nits (patches
should ideally come with log messages--see HACKING--and shouldn't use
tabs for indentation), but I'll take care of them.
This is useful, easily-implemented functionality, but as some people
have pointed out, it would be redundant if we had path-based
authorization in svnserve. So I'm going to file away the patch in an
issue after cleaning up the nits. If we don't have path-based
authorization or (better yet) in-FS ACLs in svnserve by the time we're
thinking of branching for 1.2, I will most likely apply the patch then.
(I think it would be a little hasty to get this into 1.1.)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] svnserve per-user read/write access control
Posted by Alec Thomas <su...@swapoff.org>.
On Fri, Sep 03, 2004 at 07:54:21PM -0400, Greg Hudson wrote:
> Alec: I think your patch is fine, but could you resubmit it with updates
> to the default svnserve.conf comments (in libsvn_repos/repos.c) and to
> the svnserve.conf.5 man page?
Hey Greg,
I have attached a revised patch with the changes to both the man page
and libsvn_repos/repos.c.
Regards,
Alec
--
Evolution: Taking care of those too stupid to take care of themselves.
Re: [PATCH] svnserve per-user read/write access control
Posted by Greg Hudson <gh...@MIT.EDU>.
On Fri, 2004-09-03 at 19:48, Robert Spier wrote:
> > Please consider this patch for inclusion. It implements per-user access
> > control for svnserve. Access is specified in an [auth] section of the
> > svnserve.conf file.
>
> It would be really neat if this could use the same configuration file
> (format) as mod_authz_svn.
Alec's patch doesn't do the same thing as mod_authz_svn, so it would be
quite a trick to get it to use the same configuration format.
Alec: I think your patch is fine, but could you resubmit it with updates
to the default svnserve.conf comments (in libsvn_repos/repos.c) and to
the svnserve.conf.5 man page?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: [PATCH] svnserve per-user read/write access control
Posted by Robert Spier <rs...@pobox.com>.
> Please consider this patch for inclusion. It implements per-user access
> control for svnserve. Access is specified in an [auth] section of the
> svnserve.conf file.
It would be really neat if this could use the same configuration file
(format) as mod_authz_svn.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org