[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Re: passwd file permissions with svn+ssh

From: Greg Hudson <ghudson_at_MIT.EDU>
Date: Wed, 30 Apr 2008 15:11:44 -0400

That looks fine, but I would add a comment. (Actually, I'm not sure why
SVN_ERR_BAD_FILENAME is being ignored either.)

Daniel Shahaf wrote:
> [ Kristian, since you said you wouldn't have time, I went ahead and looked
> into this. ]
>
> Greg Hudson wrote on Tue, 29 Apr 2008 at 11:27 -0400:
>
>> On Tue, 2008-04-29 at 17:55 +1000, Kristian Kauper wrote:
>>
>>> I just don't get why this is an issue in the first place. Why does the
>>> code need to read the passwd file if a user has already authenticated
>>> via SSH? I thought that was the point of the SSH access method.
>>>
>> I agree with Kristian here, and this is probably an oversight on my part
>> when I wrote the code (although it's been a while). If the passwd file
>> is unreadable, svnserve should just fail to authenticate anyone with
>> passwords, so that the same repository can be used with svn+ssh and
>> svnserve.
>>
>
> Does this change look correct?
>
> Index: subversion/svnserve/serve.c
> ===================================================================
> --- subversion/svnserve/serve.c (revision 30863)
> +++ subversion/svnserve/serve.c (working copy)
> @@ -236,7 +236,9 @@ svn_error_t *load_configs(svn_config_t **cfg,
> if (server)
> /* Called by listening server; log error no matter what it is. */
> log_server_error(err, server, conn, pool);
> - if (err->apr_err != SVN_ERR_BAD_FILENAME)
> +
> + if (err->apr_err != SVN_ERR_BAD_FILENAME
> + && ! APR_STATUS_IS_EACCES(err->apr_err))
> {
> if (server)
> {
>
> Here is the effect. In the examples, svnserve is run in --tunnel mode.
>
> 0:% chmod 0 repos/conf/passwd
> 0:% grep anon-access repos/conf/svnserve.conf
> anon-access = write
>
> # current trunk
> 0:% svn co svn+trunk://`pwd`/repos wc
> subversion/svnserve/serve.c:248: (apr_err=215004)
> svn: Authentication failed
>
> # with the patch
> 0:% svn co svn+patched://`pwd`/repos wc | tail -1
> Checked out revision 1.
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-30 21:12:09 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.