[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Re: passwd file permissions with svn+ssh

From: Daniel Shahaf <d.s_at_daniel.shahaf.co.il>
Date: Wed, 30 Apr 2008 22:21:08 +0300 (IDT)

Greg Hudson wrote on Wed, 30 Apr 2008 at 15:11 -0400:
> That looks fine, but I would add a comment.

I'll add a comment, run 'make check' and commit.

Thanks Greg,

Daniel

> (Actually, I'm not sure why SVN_ERR_BAD_FILENAME is being ignored
> either.)
>
> Daniel Shahaf wrote:
> > [ Kristian, since you said you wouldn't have time, I went ahead and looked
> > into this. ]
> >
> > Greg Hudson wrote on Tue, 29 Apr 2008 at 11:27 -0400:
> >
> > > On Tue, 2008-04-29 at 17:55 +1000, Kristian Kauper wrote:
> > >
> > > > I just don't get why this is an issue in the first place. Why does the
> > > > code need to read the passwd file if a user has already authenticated
> > > > via SSH? I thought that was the point of the SSH access method.
> > > >
> > > I agree with Kristian here, and this is probably an oversight on my part
> > > when I wrote the code (although it's been a while). If the passwd file
> > > is unreadable, svnserve should just fail to authenticate anyone with
> > > passwords, so that the same repository can be used with svn+ssh and
> > > svnserve.
> > >
> >
> > Does this change look correct?
> >
> > Index: subversion/svnserve/serve.c
> > ===================================================================
> > --- subversion/svnserve/serve.c (revision 30863)
> > +++ subversion/svnserve/serve.c (working copy)
> > @@ -236,7 +236,9 @@ svn_error_t *load_configs(svn_config_t **cfg,
> > if (server)
> > /* Called by listening server; log error no matter what it is.
> > */
> > log_server_error(err, server, conn, pool);
> > - if (err->apr_err != SVN_ERR_BAD_FILENAME)
> > +
> > + if (err->apr_err != SVN_ERR_BAD_FILENAME
> > + && ! APR_STATUS_IS_EACCES(err->apr_err))
> > {
> > if (server)
> > {
> >
> > Here is the effect. In the examples, svnserve is run in --tunnel mode.
> >
> > 0:% chmod 0 repos/conf/passwd
> > 0:% grep anon-access repos/conf/svnserve.conf
> > anon-access = write
> >
> > # current trunk
> > 0:% svn co svn+trunk://`pwd`/repos wc
> > subversion/svnserve/serve.c:248: (apr_err=215004)
> > svn: Authentication failed
> >
> > # with the patch
> > 0:% svn co svn+patched://`pwd`/repos wc | tail -1
> > Checked out revision 1.
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-30 21:21:45 CEST

This is an archived mail posted to the Subversion Dev mailing list.