You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Mark Tsuchida <ma...@gmail.com> on 2013/08/19 20:19:42 UTC
Cannot check out public directory with client 1.8.x without access to
repo root
Hello,
I'm having an issue with our partially-public SVN repository.
The server is running SVN 1.6.11 (CentOS 6.4) with Apache and TLS.
Our repository (let's call it "myrepo") allows public read access (* =
r) to myrepo/trunk, but not to myrepo/ (the root). There is also a
directory myrepo/trunk/secret to which only specific users have access
to.
Everything has been working as expected with SVN 1.6 and 1.7 clients:
in particular, no username or password is requested when checking out
myrepo/trunk.
However, with SVN 1.8.0 and 1.8.1 clients, it is not possible to check
out any directory without supplying the credentials of a user who has
access to the repository root.
svn co https://our.server.com/svn/myrepo/trunk -> Requires
authentication with client 1.8.x but not with 1.6.x or 1.7.x
svn list https://our.server.com/svn/myrepo/trunk -> Works even with 1.8.1
svn list https://our.server.com/svn/myrepo -> Requires auth, as expected
The 1.8.x clients can successfully check out myrepo/trunk if a
username and password are given, for a user with access to the
repository root.
I have so far been unable to reproduce this with a simplified test
repository, so any hints as to where to look would be much
appreciated.
The following is the section of ssl_access_log produced by checking
out myrepo/trunk using client 1.6.18 (OS X):
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "OPTIONS
/svn/myrepo/trunk HTTP/1.1" 200 197
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 479
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/bc/123/trunk HTTP/1.1" 207 718
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "OPTIONS
/svn/myrepo/trunk HTTP/1.1" 200 197
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
/svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
And the following is the section of ssl_access_log produced by
checking out myrepo/trunk using client 1.8.1 (TortoiseSVN on Windows
7):
xx.xx.xx.xx - - [16/Aug/2013:17:34:05 -0700] "OPTIONS
/svn/myrepo/trunk HTTP/1.1" 200 197
xx.xx.xx.xx - - [16/Aug/2013:17:34:05 -0700] "OPTIONS
/svn/myrepo/trunk HTTP/1.1" 200 97
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/bc/123/trunk HTTP/1.1" 207 781
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 276
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "OPTIONS
/svn/myrepo/trunk HTTP/1.1" 200 197
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "OPTIONS
/svn/myrepo/trunk HTTP/1.1" 200 97
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/bc/123/trunk HTTP/1.1" 207 341
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "OPTIONS
/svn/myrepo/trunk HTTP/1.1" 200 197
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "OPTIONS
/svn/myrepo/trunk HTTP/1.1" 200 97
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/trunk HTTP/1.1" 207 704
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
/svn/myrepo/!svn/bc/123 HTTP/1.1" 401 483
It appears that the 1.8.1 client requests /svn/myrepo/!svn/bc/123, to
which access is denied (401), whereas client 1.6.18 only ever requests
/svn/myrepo/!svn/bc/123/trunk, to which access is granted.
Thanks for any help,
Mark
Re: Cannot check out public directory with client 1.8.x without
access to repo root
Posted by Mark Tsuchida <ma...@gmail.com>.
Hi Daniel,
On Mon, Aug 19, 2013 at 12:06 PM, Daniel Shahaf <da...@elego.de> wrote:
> Mark Tsuchida wrote on Mon, Aug 19, 2013 at 11:19:42 -0700:
>> svn co https://our.server.com/svn/myrepo/trunk -> Requires
>> authentication with client 1.8.x but not with 1.6.x or 1.7.x
>> svn list https://our.server.com/svn/myrepo/trunk -> Works even with 1.8.1
>> svn list https://our.server.com/svn/myrepo -> Requires auth, as expected
>>
>> The 1.8.x clients can successfully check out myrepo/trunk if a
>> username and password are given, for a user with access to the
>> repository root.
[...]
> Information that might be relevant includes:
>
> - The authz file
> - The <Location> block
Thanks for the suggestions. I've been able to simplify the authz file
to the following without changing the problematic behavior:
-- begin --
[myrepo:/]
mark = rw
* =
[myrepo:/trunk]
* = r
mark = rw
[/]
mark = rw
* =
-- end --
The <location> block looks like this:
-- begin --
<Location /svn>
DAV svn
SVNParentPath /home/svnroot
SSLRequireSSL
AuthType Basic
AuthName "Repository"
AuthUserFile /etc/httpd/httpdsvnpasswd
AuthzSVNAccessFile /etc/httpd/svnAccess
Satisfy Any
Require valid-user
</Location>
-- end --
> - Whether 1.7.x reproduces the problem under either serf and neon (did
> you test with each of them?)
I tried compiling SVN 1.7.11 with serf 1.3.1 and neon 0.29.6. Both work fine:
$ ~/tmp/bin/svn --config-option servers:global:http-library=serf co
https://our.server.com/svn/myrepo/trunk
# -> OK
$ ~/tmp/bin/svn --config-option servers:global:http-library=neon co
https://our.server.com/svn/myrepo/trunk
# -> OK
> - Whether the problem reproduces with 1.6.17
>
> Also, you should upgrade to at least 1.6.17, if not 1.7.11 or 1.8.1, to
> pick up fixes to security issues. (An upgrade to at least 1.7 could
> easily fix your problem, too, since it'll enable 1.7+ clients to talk
> HTTPv2, which will avoid the HTTP-non-v2 compatibility codepath (unless
> you have 1.6 clients too...).)
I haven't had a chance to test this yet. I see your point about
upgrading, but it would be nice if we could keep 1.6.11, which is the
default version on CentOS/RHEL 6.4, unless this turns out to be a true
incompatibility.
Mark
Re: Cannot check out public directory with client 1.8.x without
access to repo root
Posted by Daniel Shahaf <da...@elego.de>.
Mark Tsuchida wrote on Mon, Aug 19, 2013 at 11:19:42 -0700:
> svn co https://our.server.com/svn/myrepo/trunk -> Requires
> authentication with client 1.8.x but not with 1.6.x or 1.7.x
> svn list https://our.server.com/svn/myrepo/trunk -> Works even with 1.8.1
> svn list https://our.server.com/svn/myrepo -> Requires auth, as expected
>
> The 1.8.x clients can successfully check out myrepo/trunk if a
> username and password are given, for a user with access to the
> repository root.
>
> I have so far been unable to reproduce this with a simplified test
> repository, so any hints as to where to look would be much
> appreciated.
You could mount your real repository on a test <Location>, at
a different URI, that uses IP-whitelisting to permit only your
workstation, and then fiddle with the settings (<Location> directives,
authz file contents, etc.) to see if you can identify the problem.
Information that might be relevant includes:
- The authz file
- The <Location> block
- Whether 1.7.x reproduces the problem under either serf and neon (did
you test with each of them?)
- Whether the problem reproduces with 1.6.17
Also, you should upgrade to at least 1.6.17, if not 1.7.11 or 1.8.1, to
pick up fixes to security issues. (An upgrade to at least 1.7 could
easily fix your problem, too, since it'll enable 1.7+ clients to talk
HTTPv2, which will avoid the HTTP-non-v2 compatibility codepath (unless
you have 1.6 clients too...).)
unsubscribe
Posted by Rajesh Patwardhan <ra...@gmail.com>.
Re: Cannot check out public directory with client 1.8.x without
access to repo root
Posted by Ivan Zhakov <iv...@visualsvn.com>.
On Wed, Aug 21, 2013 at 12:01 PM, Ben Reser <be...@reser.org> wrote:
> On Wed Aug 21 00:17:08 2013, Ivan Zhakov wrote:
>> The first bug here why Subversion 1.8 doesn't ask you for credentials on checkout
>> like it does for commit.
>
> Known limitation of HTTP, see the Partial Readability on Checkouts
> block at the bottom of this page:
> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
>
The problem that server responds 401 and client doesn't ask for
credentials, while it should be.
--
Ivan Zhakov
Re: Cannot check out public directory with client 1.8.x without access
to repo root
Posted by Ben Reser <be...@reser.org>.
On Wed Aug 21 00:17:08 2013, Ivan Zhakov wrote:
> The first bug here why Subversion 1.8 doesn't ask you for credentials on checkout
> like it does for commit.
Known limitation of HTTP, see the Partial Readability on Checkouts
block at the bottom of this page:
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
Re: Cannot check out public directory with client 1.8.x without
access to repo root
Posted by Mark Tsuchida <ma...@gmail.com>.
On Wed, Aug 21, 2013 at 12:17 AM, Ivan Zhakov <iv...@visualsvn.com> wrote:
> On Wed, Aug 21, 2013 at 4:17 AM, Mark Tsuchida <ma...@gmail.com> wrote:
>> On Tue, Aug 20, 2013 at 12:02 AM, Ivan Zhakov <iv...@visualsvn.com> wrote:
>>> On Mon, Aug 19, 2013 at 11:14 PM, Ivan Zhakov <iv...@visualsvn.com> wrote:
>>>> On Mon, Aug 19, 2013 at 10:19 PM, Mark Tsuchida <ma...@gmail.com> wrote:
>> [...]
>>>>> The server is running SVN 1.6.11 (CentOS 6.4) with Apache and TLS.
>>>>> Our repository (let's call it "myrepo") allows public read access (* =
>>>>> r) to myrepo/trunk, but not to myrepo/ (the root). There is also a
>>>>> directory myrepo/trunk/secret to which only specific users have access
>>>>> to.
>>>>>
>>>>> Everything has been working as expected with SVN 1.6 and 1.7 clients:
>>>>> in particular, no username or password is requested when checking out
>>>>> myrepo/trunk.
>>>>>
>>>>> However, with SVN 1.8.0 and 1.8.1 clients, it is not possible to check
>>>>> out any directory without supplying the credentials of a user who has
>>>>> access to the repository root.
>>>>>
>>>>> svn co https://our.server.com/svn/myrepo/trunk -> Requires
>>>>> authentication with client 1.8.x but not with 1.6.x or 1.7.x
>>>>> svn list https://our.server.com/svn/myrepo/trunk -> Works even with 1.8.1
>>>>> svn list https://our.server.com/svn/myrepo -> Requires auth, as expected
[...]
>> Can you perhaps spot an error in my authz and apache configs (please see my
>> reply to Daniel)?
>>
> Did you try replace "Satisfy Any" to "Satisfy All" ?
Yes, we tried that. "Satisfy All" is more stringent and completely
disallows anonymous access (given the "Require valid-user").
> I think at current state you have to options:
> 1. Upgrade server to Subversion 1.8
> 2. Create 'guest' user and disable anonymous access
>
> It sill will be useful to file bug in Subversion issue tracker though.
Thank you for the suggestions. I've filed issue 4416.
http://subversion.tigris.org/issues/show_bug.cgi?id=4416
Best,
Mark
Re: Cannot check out public directory with client 1.8.x without
access to repo root
Posted by Ivan Zhakov <iv...@visualsvn.com>.
On Wed, Aug 21, 2013 at 4:17 AM, Mark Tsuchida <ma...@gmail.com> wrote:
> Hi Ivan,
>
> On Tue, Aug 20, 2013 at 12:02 AM, Ivan Zhakov <iv...@visualsvn.com> wrote:
>> On Mon, Aug 19, 2013 at 11:14 PM, Ivan Zhakov <iv...@visualsvn.com> wrote:
>>> On Mon, Aug 19, 2013 at 10:19 PM, Mark Tsuchida <ma...@gmail.com> wrote:
> [...]
>>>> The server is running SVN 1.6.11 (CentOS 6.4) with Apache and TLS.
>>>> Our repository (let's call it "myrepo") allows public read access (* =
>>>> r) to myrepo/trunk, but not to myrepo/ (the root). There is also a
>>>> directory myrepo/trunk/secret to which only specific users have access
>>>> to.
>>>>
>>>> Everything has been working as expected with SVN 1.6 and 1.7 clients:
>>>> in particular, no username or password is requested when checking out
>>>> myrepo/trunk.
>>>>
>>>> However, with SVN 1.8.0 and 1.8.1 clients, it is not possible to check
>>>> out any directory without supplying the credentials of a user who has
>>>> access to the repository root.
>>>>
>>>> svn co https://our.server.com/svn/myrepo/trunk -> Requires
>>>> authentication with client 1.8.x but not with 1.6.x or 1.7.x
>>>> svn list https://our.server.com/svn/myrepo/trunk -> Works even with 1.8.1
>>>> svn list https://our.server.com/svn/myrepo -> Requires auth, as expected
> [...]
>>>> The following is the section of ssl_access_log produced by checking
>>>> out myrepo/trunk using client 1.6.18 (OS X):
>>>> xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "OPTIONS
>>>> /svn/myrepo/trunk HTTP/1.1" 200 197
>>> [...]
>>>> /svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
>>>> xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
>>>> /svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
>>>>
>>>> And the following is the section of ssl_access_log produced by
>>>> checking out myrepo/trunk using client 1.8.1 (TortoiseSVN on Windows
>>>> 7):
>>>> xx.xx.xx.xx - - [16/Aug/2013:17:34:05 -0700] "OPTIONS
>>>> /svn/myrepo/trunk HTTP/1.1" 200 197
>>> [...]
>>>> xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
>>>> /svn/myrepo/!svn/bc/123 HTTP/1.1" 401 483
>> It should be "403 Forbidden", not "401 Unauthorized". Looks like some
>> issue with server configuration.
>
> I can get the server to return 403 Forbidden for
> https://our.server.com/svn/myrepo by removing "Require valid-user"
> from our Apache config. This does seem to allow the anonymous checkout
> of https://our.server.com/svn/myrepo/trunk to succeed. But this also
> prevents the client from asking for a password altogether when
> checking out e.g. https://our.server.com/svn/myrepo, which is not the
> desired behavior.
>
The problem here that when checking out Subversion requests properties
for every parent if server doesn't support retrieving them in special
request introduced in Subversion 1.8. But anonymous user doesn't have
access to repository root and server responds 401 Unauthorized, which
means "no anonymous access, give me valid credentials". The first bug
here why Subversion 1.8 doesn't ask you for credentials on checkout
like it does for commit.
>>>> It appears that the 1.8.1 client requests /svn/myrepo/!svn/bc/123, to
>>>> which access is denied (401), whereas client 1.6.18 only ever requests
>>>> /svn/myrepo/!svn/bc/123/trunk, to which access is granted.
>>>>
>>> Most likely it is some problem with inherited properties feature
>>> implemented in Subversion 1.8.
>>>
>> The issue doesn't reproduces with server configured for non-anonymous
>> access: the server returns 401 Forbidden for PROPFIND request on
>> repository root and handled properly by Subversion 1.8 client.
>
> (I assume you meant 403 Forbidden.)
Yes, I meant 403 Forbidden. Sorry.
> Does that still allow checking out the root by users who do
> have read permission for the root
Yes, checking out working copy without access to repository root is
supported in Subversion 1.8. But it seems that anonymous check out
without access to repository root is broken now.
> Can you perhaps spot an error in my authz and apache configs (please see my
> reply to Daniel)?
>
Did you try replace "Satisfy Any" to "Satisfy All" ?
I think at current state you have to options:
1. Upgrade server to Subversion 1.8
2. Create 'guest' user and disable anonymous access
It sill will be useful to file bug in Subversion issue tracker though.
--
Ivan Zhakov
Re: Cannot check out public directory with client 1.8.x without
access to repo root
Posted by Mark Tsuchida <ma...@gmail.com>.
Hi Ivan,
On Tue, Aug 20, 2013 at 12:02 AM, Ivan Zhakov <iv...@visualsvn.com> wrote:
> On Mon, Aug 19, 2013 at 11:14 PM, Ivan Zhakov <iv...@visualsvn.com> wrote:
>> On Mon, Aug 19, 2013 at 10:19 PM, Mark Tsuchida <ma...@gmail.com> wrote:
[...]
>>> The server is running SVN 1.6.11 (CentOS 6.4) with Apache and TLS.
>>> Our repository (let's call it "myrepo") allows public read access (* =
>>> r) to myrepo/trunk, but not to myrepo/ (the root). There is also a
>>> directory myrepo/trunk/secret to which only specific users have access
>>> to.
>>>
>>> Everything has been working as expected with SVN 1.6 and 1.7 clients:
>>> in particular, no username or password is requested when checking out
>>> myrepo/trunk.
>>>
>>> However, with SVN 1.8.0 and 1.8.1 clients, it is not possible to check
>>> out any directory without supplying the credentials of a user who has
>>> access to the repository root.
>>>
>>> svn co https://our.server.com/svn/myrepo/trunk -> Requires
>>> authentication with client 1.8.x but not with 1.6.x or 1.7.x
>>> svn list https://our.server.com/svn/myrepo/trunk -> Works even with 1.8.1
>>> svn list https://our.server.com/svn/myrepo -> Requires auth, as expected
[...]
>>> The following is the section of ssl_access_log produced by checking
>>> out myrepo/trunk using client 1.6.18 (OS X):
>>> xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "OPTIONS
>>> /svn/myrepo/trunk HTTP/1.1" 200 197
>> [...]
>>> /svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
>>> xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
>>> /svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
>>>
>>> And the following is the section of ssl_access_log produced by
>>> checking out myrepo/trunk using client 1.8.1 (TortoiseSVN on Windows
>>> 7):
>>> xx.xx.xx.xx - - [16/Aug/2013:17:34:05 -0700] "OPTIONS
>>> /svn/myrepo/trunk HTTP/1.1" 200 197
>> [...]
>>> xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
>>> /svn/myrepo/!svn/bc/123 HTTP/1.1" 401 483
> It should be "403 Forbidden", not "401 Unauthorized". Looks like some
> issue with server configuration.
I can get the server to return 403 Forbidden for
https://our.server.com/svn/myrepo by removing "Require valid-user"
from our Apache config. This does seem to allow the anonymous checkout
of https://our.server.com/svn/myrepo/trunk to succeed. But this also
prevents the client from asking for a password altogether when
checking out e.g. https://our.server.com/svn/myrepo, which is not the
desired behavior.
>>> It appears that the 1.8.1 client requests /svn/myrepo/!svn/bc/123, to
>>> which access is denied (401), whereas client 1.6.18 only ever requests
>>> /svn/myrepo/!svn/bc/123/trunk, to which access is granted.
>>>
>> Most likely it is some problem with inherited properties feature
>> implemented in Subversion 1.8.
>>
> The issue doesn't reproduces with server configured for non-anonymous
> access: the server returns 401 Forbidden for PROPFIND request on
> repository root and handled properly by Subversion 1.8 client.
(I assume you meant 403 Forbidden.) Does that still allow checking out
the root by users who do have read permission for the root? Can you
perhaps spot an error in my authz and apache configs (please see my
reply to Daniel)?
Thanks for the help,
Mark
Re: Cannot check out public directory with client 1.8.x without
access to repo root
Posted by Ivan Zhakov <iv...@visualsvn.com>.
On Mon, Aug 19, 2013 at 11:14 PM, Ivan Zhakov <iv...@visualsvn.com> wrote:
> On Mon, Aug 19, 2013 at 10:19 PM, Mark Tsuchida <ma...@gmail.com> wrote:
>> Hello,
>>
>> I'm having an issue with our partially-public SVN repository.
>>
>> The server is running SVN 1.6.11 (CentOS 6.4) with Apache and TLS.
>> Our repository (let's call it "myrepo") allows public read access (* =
>> r) to myrepo/trunk, but not to myrepo/ (the root). There is also a
>> directory myrepo/trunk/secret to which only specific users have access
>> to.
>>
>> Everything has been working as expected with SVN 1.6 and 1.7 clients:
>> in particular, no username or password is requested when checking out
>> myrepo/trunk.
>>
>> However, with SVN 1.8.0 and 1.8.1 clients, it is not possible to check
>> out any directory without supplying the credentials of a user who has
>> access to the repository root.
>>
>> svn co https://our.server.com/svn/myrepo/trunk -> Requires
>> authentication with client 1.8.x but not with 1.6.x or 1.7.x
>> svn list https://our.server.com/svn/myrepo/trunk -> Works even with 1.8.1
>> svn list https://our.server.com/svn/myrepo -> Requires auth, as expected
>>
>> The 1.8.x clients can successfully check out myrepo/trunk if a
>> username and password are given, for a user with access to the
>> repository root.
>>
>> I have so far been unable to reproduce this with a simplified test
>> repository, so any hints as to where to look would be much
>> appreciated.
>>
>> The following is the section of ssl_access_log produced by checking
>> out myrepo/trunk using client 1.6.18 (OS X):
>> xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "OPTIONS
>> /svn/myrepo/trunk HTTP/1.1" 200 197
> [...]
>> /svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
>> xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
>> /svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
>>
>> And the following is the section of ssl_access_log produced by
>> checking out myrepo/trunk using client 1.8.1 (TortoiseSVN on Windows
>> 7):
>> xx.xx.xx.xx - - [16/Aug/2013:17:34:05 -0700] "OPTIONS
>> /svn/myrepo/trunk HTTP/1.1" 200 197
> [...]
>> xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
>> /svn/myrepo/!svn/bc/123 HTTP/1.1" 401 483
It should be "403 Forbidden", not "401 Unauthorized". Looks like some
issue with server configuration.
>>
>> It appears that the 1.8.1 client requests /svn/myrepo/!svn/bc/123, to
>> which access is denied (401), whereas client 1.6.18 only ever requests
>> /svn/myrepo/!svn/bc/123/trunk, to which access is granted.
>>
> Most likely it is some problem with inherited properties feature
> implemented in Subversion 1.8.
>
The issue doesn't reproduces with server configured for non-anonymous
access: the server returns 401 Forbidden for PROPFIND request on
repository root and handled properly by Subversion 1.8 client.
--
Ivan Zhakov
CTO | VisualSVN | http://www.visualsvn.com
Re: Cannot check out public directory with client 1.8.x without
access to repo root
Posted by Ivan Zhakov <iv...@visualsvn.com>.
On Mon, Aug 19, 2013 at 10:19 PM, Mark Tsuchida <ma...@gmail.com> wrote:
> Hello,
>
> I'm having an issue with our partially-public SVN repository.
>
> The server is running SVN 1.6.11 (CentOS 6.4) with Apache and TLS.
> Our repository (let's call it "myrepo") allows public read access (* =
> r) to myrepo/trunk, but not to myrepo/ (the root). There is also a
> directory myrepo/trunk/secret to which only specific users have access
> to.
>
> Everything has been working as expected with SVN 1.6 and 1.7 clients:
> in particular, no username or password is requested when checking out
> myrepo/trunk.
>
> However, with SVN 1.8.0 and 1.8.1 clients, it is not possible to check
> out any directory without supplying the credentials of a user who has
> access to the repository root.
>
> svn co https://our.server.com/svn/myrepo/trunk -> Requires
> authentication with client 1.8.x but not with 1.6.x or 1.7.x
> svn list https://our.server.com/svn/myrepo/trunk -> Works even with 1.8.1
> svn list https://our.server.com/svn/myrepo -> Requires auth, as expected
>
> The 1.8.x clients can successfully check out myrepo/trunk if a
> username and password are given, for a user with access to the
> repository root.
>
> I have so far been unable to reproduce this with a simplified test
> repository, so any hints as to where to look would be much
> appreciated.
>
> The following is the section of ssl_access_log produced by checking
> out myrepo/trunk using client 1.6.18 (OS X):
> xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "OPTIONS
> /svn/myrepo/trunk HTTP/1.1" 200 197
[...]
> /svn/myrepo/!svn/vcc/default HTTP/1.1" 207 420
> xx.xx.xx.xx - - [16/Aug/2013:17:36:35 -0700] "PROPFIND
> /svn/myrepo/!svn/bln/123 HTTP/1.1" 207 479
>
> And the following is the section of ssl_access_log produced by
> checking out myrepo/trunk using client 1.8.1 (TortoiseSVN on Windows
> 7):
> xx.xx.xx.xx - - [16/Aug/2013:17:34:05 -0700] "OPTIONS
> /svn/myrepo/trunk HTTP/1.1" 200 197
[...]
> xx.xx.xx.xx - - [16/Aug/2013:17:34:06 -0700] "PROPFIND
> /svn/myrepo/!svn/bc/123 HTTP/1.1" 401 483
>
> It appears that the 1.8.1 client requests /svn/myrepo/!svn/bc/123, to
> which access is denied (401), whereas client 1.6.18 only ever requests
> /svn/myrepo/!svn/bc/123/trunk, to which access is granted.
>
Most likely it is some problem with inherited properties feature
implemented in Subversion 1.8.
@Paul: Do you have any ideas?
--
Ivan Zhakov
CTO | VisualSVN | http://www.visualsvn.com