Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-2712

svnserve authz permissions problem

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 1.4.x
    • Fix Version/s: unscheduled
    • Component/s: svnserve
    • Labels:
      None

      Description

      === Situation:
      
      I'm trying to run my own repo with full read/write access to myself, while blocking anonymous access 
      except for a few selected directories which I'd like to offer anonymous read access to.
      
      Repo is running using standalone svnserve with the following config:
      
      svnserve.conf:
      [general]
      password-db = passwd
      authz-db = authz
      realm = My Repo
      
      passwd:
      mina = mypassword
      
      authz:
      [/]
      mina = rw
      
      [/shared/project]
      * = r
      mina = rw
      
      === Problem:
      
      As expected, working with /shared/project works fine (anonymous can read, cannot write - 
      authenticated "mina" can read and write)
      
      The problem is when "mina" tries to read other parts of the repo which the [/] entry applies to.  Simple 
      read operations such as "list" work, however the most common operation "checkout" fails
      <-- svn co svn://localhost/popick .
      ...delay...
      --> svn: Not authorized to open root of edit operation
      
      Hunch: I think that the client authenticates fine with svnserve, but at some stage later svnserve treats 
      the connection as anonymous again.
      
      === Partial fix
      
      In svnserve.conf, setting "anon-access" to "none" (instead of the default "read") fixes the demonstrated 
      problem for user "mina", at the cost of disabling all anonymous reading to the repo, which is undesired 
      in this example.
      
      Another (also undesirable) fix is in authz, add an acl under [/] to "* = r".  It allows the checkout to 
      succeed, at the cost of allowing all anonymous users read access to all the repository.
      
      === Buddies/witnesses:
      
      * Fyodor (of nmap fame) posted on MARC: http://marc2.theaimsgroup.com/?l=subversion-
      users&m=116691293115555
      
      * More verbose devshed forum entry: http://archives.devshed.com/forums/development-94/anon-
      access-read-authz-not-a-cry-for-help-1939252.html
      
      
      Thank you for your time and an excellent open source tool.
      

      Original issue reported by minaguib

        Attachments

          Activity

            People

            • Assignee:
              subversion-importer Subversion Importer
              Reporter:
              subversion-importer Subversion Importer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: