[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: "SVNAuthorizationShortCircuit or something similar"

From: Justin Erenkrantz <justin_at_erenkrantz.com>
Date: 2007-04-16 22:23:21 CEST

On 4/16/07, David James <james@cs.toronto.edu> wrote:
> Okay, let's see if I understand now: You're saying that it's dangerous
> for us to change the way that Subversion processes special URIs
> because there are users who depend on their behaviour in LocationMatch
> directives.

Yes - or other mechanisms.

> To demonstrate your point, could you give a working and secure example
> of such a LocationMatch directive? Your existing LocationMatch rule
> doesn't work because it doesn't block baseline-collection URIs.
>
> You could, as you say, add mod_authz_svn into the mix, and teach
> mod_authz_svn to block the baseline collection URIs, but, if you do
> that, you will have to teach mod_authz_svn to block all the same URLs
> that your LocationMatch is blocking. In that case, the LocationMatch
> directive is redundant and serves no purpose.

Sure it does. Why do you think it doesn't? It uses a wild
card...just expand the regex as needed. It's trivial.

> You also pointed out that "mod_authz_svn doesn't handle host-based
> authorization at all." Are you implying that the new short circuit
> authz option might break Apache's host-based authorization? If so,
> how?

Yes. Because you're only going to be using mod_authz_svn instead of
permitting httpd to run through its normal authorization mechanisms -
which include *all* authorization modules.

> I do agree with you that there are some users who might be affected by
> the special URI change. CollabNet, for example, wrote a custom authz
> module, which will need to be updated if they want to support
> short-circuit authentication.

Again, no, this is all about what you can do with a stock httpd
configuration and install.

> Does this fact itself make the authz change dangerous? I don't think
> so -- I think that any users who wrote custom authz modules will
> understand that, if they switch Subversion to use short-circuit
> authentication, that they will also need to update their custom authz
> module to also support this feature.

Yes, I think it does make it dangerous.

My point is that if you give an option like 'native', folks will think
it's doing something of little consequence - users should understand
what it is when they enable this feature so that if they might be
doing it. Making the assumption that *no one* is using LocationMatch
or other default authorization mechanims is rife with trouble. If I
can do it with a stock httpd install and have that configuration break
silently with this short circuit, then we need to put major blinking
lights around the enabling of it. I think you are greatly
underestimating the creativity of httpd admins. I never cease to be
amazed at what httpd admins can come up with. =) -- justin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 16 22:24:00 2007

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.