[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authz woes

From: Christoph Ludwig <ludwig_at_fh-worms.de>
Date: 2007-08-14 16:56:23 CEST

Shaun,

On Tue, Aug 14, 2007 at 09:58:07AM -0400, Shaun Johnson wrote:
> I noticed some similarly odd behavior when I first starting using SVN
> and found that the root cause of the problem was that I used the wrong
> syntax in the authz file. In the example you gave you added a trailing
> slash to all the paths. This is incorrect. You must leave off the last
> slash or SVN will not properly apply the permissions. It will not
> complain about the incorrect syntax either.
>
> Instead of:
>
> [/dir2/]
> Alice =
>
> Use:
>
> [/dir2]
> Alice =
>
> I believe the only exception to the "no trailing slash" rule is [/].

I removed all trailing slashes from the folder entries in my authz file and
restarted the web server. But I did not observe any difference, Alice can
still commit to /dir2 and so on.
 
> You can also use a tool like Suafe (http://code.google.com/p/suafe/)
> to create/edit your authz file (shameless plug). It may be a bit
> overkill for such a small authz file, but it will generate valid authz
> file syntax.

Thanks. Howver, when I tried to start it, all I got was
"java.lang.UnsupportedClassVersionError: Bad version number in .class
file". Did you build the jar-file with Java 1.6? I am still at 1.5. (I don't
want to upgrade because my notebook runs under MaxOS X for which there is no
JDK 1.6. And I don't want to deal with different Java Runtimes on my
machines.)

Regards

Christoph

> On 8/14/07, Christoph Ludwig <ludwig@fh-worms.de> wrote:
> > Hi,
> >
> > I use subversion 1.4.4 (with Apache httpd 2.2.4) on a Linux machine. (I pasted
> > the relevant excerpt from my vhost configuration at the end of this mail.)
> > I have a repository named "test" and an authz file with the following content:
> >
> > [/]
> > * =
> > Alice = rw
> > Bob = r
> > Oskar =
> >
> > [/dir1/dir1_1/]
> > Bob = rw
> >
> > [/dir1/dir1_2/]
> > Oskar = r
> >
> > [/dir2/]
> > Alice =
> >
> > The description in
> > <URL:http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html>
> > made me expect that Alice can checkout every folder except /dir2. However:
> >
> > cludwig_at_testserver:~$ /opt/subversion-1.4.4/bin/svn co --username Alice --no-auth-cache https://testserver.fh-worms.de:8443/svn/test/TRUNK/ trunk_alice
> > Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
> > Password for 'Alice':
> > A trunk_alice/dir1
> > A trunk_alice/dir1/dir1_1
> > A trunk_alice/dir1/dir1_1/file_a
> > A trunk_alice/dir1/dir1_2
> > A trunk_alice/dir1/dir1_2/file_b
> > A trunk_alice/dir2
> > A trunk_alice/dir2/file_c
> > Checked out revision 1.
> >
> > Alice can checkout /dir2 without problems. (She can even commit modifications
> > in /dir2.
> >
> > Now to Bob. Bob can read / checkout everything as expected. But
> > any attempt to checkin a changed file results in a "403 Forbidden"
> > error, even in /dir1/dir1_1:
> >
> > cludwig@testserver:~/trunk_bob/dir1/dir1_1$ echo test_bob > file_a
> > cludwig@testserver:~/trunk_bob/dir1/dir1_1$ /opt/subversion-1.4.4/bin/svn ci -m 'Can Bob write to /dir1/dir1_1 ?' --username Bob --no-auth-cache
> > Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
> > Password for 'Bob':
> > Sending dir1_1/file_a
> > svn: Commit failed (details follow):
> > svn: CHECKOUT of '/svn/test/!svn/ver/2/TRUNK/dir1/dir1_1/file_a': 403 Forbidden (https://testserver.fh-worms.de:8443)
> >
> > Finally, my intention was that Oskar has full access to /dir1/dir1_2/, but to
> > no other folder. I know that (some) previous subversion releases required read
> > access to / if one wanted any access to a subfolder, but I thought this
> > restriction was lifted in 1.4. However, Oskar cannot even checkout
> > /dir1/dir1_2/:
> >
> > cludwig_at_testserver:~$ /opt/subversion-1.4.4/bin/svn co --username Oskar --no-auth-cache https://testserver.fh-worms.de:8443/svn/test/TRUNK/dir1/dir1_2 dir1_2_oskar
> > Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
> > Password for 'Oskar':
> > svn: PROPFIND request failed on '/svn/test/TRUNK/dir1/dir1_2'
> > svn: PROPFIND of '/svn/test/TRUNK/dir1/dir1_2': 403 Forbidden (https://testserver.fh-worms.de:8443)
> >
> > It seems either I completely misunderstood how path based access control is
> > supposed to work or there is some bug... I'd appreciate any help.
> >
> > Regards
> >
> > Christoph
> >
> >
> > Apache configuration excerpt:
> >
> > <IfModule mod_dav_svn.c>
> >
> > <Location /svn/>
> > DAV svn
> >
> > # the "test" repository is in /srv/svn/test
> > SVNParentPath /srv/svn/
> >
> > # Don't ask for client certificates
> > SSLVerifyClient none
> >
> > # Authenticate by a simple password file.
> > AuthName "subversion repositories"
> > AuthType basic
> > AuthUserFile /srv/svn/test/conf/httpd.passwd
> >
> > #################
> > # Authorization #
> > #################
> >
> > # try anonymous access first, resort to real
> > # authentication if the authorization policy
> > # makes it necessary.
> > satisfy any
> > require valid-user
> >
> > # authorization policy file
> > AuthzSVNAccessFile /srv/svn/test/conf/authz
> >
> > </Location>
> >
> > <Directory /srv/svn>
> > Options +Indexes +Multiviews -FollowSymLinks
> > IndexOptions FancyIndexing \
> > ScanHTMLTitles \
> > NameWidth=* \
> > DescriptionWidth=* \
> > SuppressLastModified \
> > SuppressSize
> >
> > order allow,deny
> > allow from all
> > </Directory>
> >
> >
> > </IfModule>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

-- 
FH Worms - University of Applied Sciences
Fachbereich Informatik / Telekommunikation
Erenburgerstr. 19, 67549 Worms, Germany
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Aug 14 16:56:29 2007

This is an archived mail posted to the Subversion Users mailing list.