[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: unsafe authorisation hack?

From: Ryan Schmidt <subversion-2007b_at_ryandesign.com>
Date: 2007-04-02 22:57:48 CEST

On Apr 2, 2007, at 08:03, temp temp wrote:

> I'm currently trying to add a little bit of authorisation to one of my
> repositories that is served by apache. I found that using the normal
> svn authorisation mechanism made retrieving log messages too slow to
> be usable.
>
> I then tried a basic system of limiting access to certain Locations
> (and dav commands):
>
> <Location /svn/web/live/>
> RequireGroup blah
> </Location>
>
> This worked pretty well. Unfortunately it still allows users to drag
> folders around within the repo-browser (I'm trying to avoid people
> accidentally moving important folders).
>
> I'm now using the LocationMatch tag directly on the !svn locations
> (LocationMatch is required to regex match the unknown version number):
>
> <LocationMatch "/2ndbyte/!svn/ver/[^/]*/web/live.*">
> RequireGroup blah
> </LocationMatch>
>
> My question is basically - is this safe? I'm no apache/svn expert so I
> don't really understand the risks. Obviously it's much harder to get
> the rules correct this way (as it's pretty cumbersome). Mostly I'm
> worried that this might allow part of a commit to complete but then
> fail too late in the process to roll back.

[snip]

I've never seen the format of these !svn URLs described, so I believe
they are considered internal to Subversion and subject to change in
future versions without notice. My feeling is it's probably not a
good idea to try to use them in an authorization scheme (or in any
other way).

I have not needed to use authorization in my repositories so I'll let
someone else suggest a better solution. But surely authorization is a
problem that has been well solved in Subversion so I'm sure there are
some reasonable suggestions that will help you. You did not mention
which Subversion authorization mechanisms you had tried so far... You
said "all" but maybe there are some which you are not aware of which
you haven't tried... 

-- 
To reply to the mailing list, please use your mailer's Reply To All  
function
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Apr 2 22:58:15 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.