On Tue, Oct 22, 2002 at 05:50:08PM -0700, Greg Stein wrote:
> > > AFAIK, the URLs handled by mod_dav_svn are not mapped to
> > > physical filesystem locations
> > > under /local/svn/repos, so apache won't look there for an .htaccess.
> That is correct, and by design. We did not want to rely on Apache's mapping
> of URL to filesystem locations to determine where the underlying repository
> is located. If an admin was not careful, they could end up exposing the raw
> bits of their repository. A person could just grab .../repos/db/strings and
> circumvent all kinds of stuff.
But with the current implementation the admin has not even a chance to
define access control (if I understand correctly).
But before I go ahead, I must confess two things:
- I had forgotten to load authz_group_module
- I was ignorant on the fact that AllowOverride works only in
<Directory> context.
Given those two sins, it might be that it was my fault and not the
fault of mod_dav_svn. I will check this again tomorrow.
But I still wonder why apache did not give me errors or warnings
because I used directives that were not loaded/allowed. =:O
> [ ... ]
> Alias /svn/repos /local/svn/docroot
> <Location /svn/repos>
> [ ... ]
> That keeps the repositories "out" of the doc root, yet it also gives Apache
> a way to find a .htaccess file in the filesystem. That is, you could put the
> .htaccess at /local/svn/docroot/.htaccess. If that doesn't work, then try
> aliasing /svn to a filesystem location and putting the content in there.
Sounds reasonable, I'll give it a try. OTOH, I would like to keep the
setup as simple as possible because I would like to share this with
the svn community. A complex setup would prevent people from using it.
> Inside of the .htaccess, you might be able to use the Include directive to
> include everything in a subdirectory. Within that subdir, you can have
> configuration fragments for each of the projects.
Ough! Does Include/<Directory>/<Location> work withhin .htaccess? THis
is very contrary to the idea that lies behind .htaccess.
> While this should work, it is *not* going to be fast. Not by a long shot.
> Recall that Apache is going to load that .htaccess for *EVERY* access. A
> checkout of 1000 files is going to read that .htaccess file for each file
> and dir.
Ough! Is it really a separate connection for every file? Does it have
be that way or is there any chance that this could be improved? Maybe
this is (one of?) the reason why the current implementation of svn is
so slow?
> I really think that you'd want to write a new kind of authentication and
> authorization module. They aren't all that difficult, but it would be in C.
> I believe that mod_perl and mod_python can allow you to write auth modules,
> so that might be another avenue.
I'm sorry, but I don't (yet) have knowledge to do that. And I think it
would do more harm when unexperienced people (like me) try to do
security related things like authentication. Have you any pointers
where a newbie to this topic could start to learn?
--
-- Josef Wolf -- jw@raven.inka.de --
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Oct 23 23:37:53 2002