[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can't figure out authzfile syntax for subdirectory access control

From: Edward Bosco <ebosco_at_prologic-inc.com>
Date: 2006-05-01 18:04:39 CEST

Xn Nooby, Mathias -

Been following this thread, and implementing the path-based
authorization. Can't get particular paths to _not_ be accessible.

With svn 1.3.1 on a Windows XP machine, accessing an existing repository
on a Debian Sarge server running 1.2.3, I can't keep
a test user from accessing directories or files they ought not to be
able to access.

My dav_svn.conf file looks like:

<Location /svn2>
  DAV svn
  SVNPath /var/repos/repos/testrepo
  Allow from All
  Satisfy Any
  SVNPathAuthz on
  AuthType Basic
  AuthUserFile /etc/apache2/users
  AuthName "Test Repository"
  AuthzSVNAccessFile /etc/apache2/authz
  Require valid-user
</Location>

My authz file looks like:
[groups]
reatssdvp = ebosco, kwest
testdvp = test

[/]
* = r

[/simulations/ebosco]
* =
ebosco = rw

[/readme.txt]
* =
@reatssdvp = rw

[/simulations/readme.txt]
* =
ebosco = rw

[/components]
* =

[testrepo:/core]
ebosco = rw
* =

[/simulations]
* =
@reatssdvp = rw

==
Using a command line invocation of svn:
C:\Documents and Settings\ebosco>svn ls
https://reatss.prologic-inc.com/svn2/testrepo/core --username test
--password test --no-auth
-cache
I still get a listing of a directory I ought not see; same holds for svn
log or whatever.

Any thoughts as how to proceed? Xn, were you able to limit access to
subdirectories?

________________________________________
From: Xn Nooby [mailto:xnooby@gmail.com]
Sent: Thursday, April 27, 2006 3:29 PM
To: Mathias.Weinert@gfa-net.de
Cc: users@subversion.tigris.org
Subject: Re: Can't figure out authzfile syntax for subdirectory access
control

Thanks you, I will try this out!

On 4/27/06, Mathias.Weinert@gfa-net.de < Mathias.Weinert@gfa-net.de>
wrote:
Xn Nooby wrote:

>
> Hi,
>
>
> I'm trying to get path-based authorization to work on an existing
installation.  I upgraded my svnserve from 1.2.3 to 1.3, and tried to
make
the appropriate changes.
>
> I changed my svnserve.conf file by adding the line:
>
>    authz-db = authzfile
>
> In the authzfile I added the following lines to block all access:
>
>    [/]
>    * =
>
> Then I added the following line to give myself read/write access
(which
worked with commits):
>
>    [/]
>    * =
>
>    [/]
>    me = rw
>
> When I try to limit my access to specifc folders, it doesn't work:
>
>    [/]
>    * =
>
>    [/svnrepo/clientname]
>    me = rw
>
> This results in an "access denied" when I try to commit a change.  I
believe the problem is with the pathname (and I tried many variations).
>
> My server is svnserve on a Windows 2003 Server.  Svnserve is running
as
a service.  I have one repository, and all my clients are in one
high-level directory ("svnrepo").  I've been trying to follow the
directions here:
>
>    http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-sect-4.4.2
>
> But I do not understand the syntax of their pathname, why does it have
a
repository name followed by a colon?  I don't think I have a repository
name.  For example:
>
>    [calc:/branches/calc/bug-142]
>    harry = rw
>    sally = r
>
> Any suggestions?  I need to figure out how to control access to
subdirectories in my repository.
>
> I trined many things like:
>
>    [/svnrepo/clientname]
>    [:/svnrepo/clientname]
>    [/svnrepo]
>    [svnrepo:/svnrepo/clientname]
>    [:/svnrepo]
>
> Thanks!
>

You have to specify (in addition):

[/]
me = r

AFAIK this is supposed to be a bug which will be corrected
in an upcoming version (you can find some posts about this
in the users and the dev mailing lists).

If you don't want to be able to read folders other than
/svnrepo/clientname you also have to say

[/otherfolder_1]
me =

[/otherfolder_etc]
me =

Hope this helps.

Mathias

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon May 1 18:08:49 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.