[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: working copy is web-accessible, .svn/auth/* retrievable

From: Branko Čibej <brane_at_xbc.nu>
Date: 2003-01-07 17:20:37 CET

Alexis Huxley wrote:

>Hi
>
>A Subversion and/or Apache problem:
>
>I've got my homepage stored in Subversion; that is I run:
>
> svn co http://blah.blah/svn/homepage ~/public_html
>
>For various reasons I don't want to 'make install' my homepage to
>~/public_html from somewhere else, and of course I don't want to
>remove the .svn's either.
>
>The problem is that I can retrieve .svn/auth/{username,password}
>through a web browser so anybody could get me password. (Don't bother
>trying now ;-) they're not there.)
>
>I'm can see that this isn't strictly a purely Subversion question,
>but I trawled the apache docs looking for how to use .htaccess to
>control access to subdirectories of a directory rather than the
>directory itself, but no luck.
>
>I'm wondering what my options are.
>
Have you tried this? You can put it in the global config file, but it'll
be specific to your home directory:

<Directory /home/ahuxley>
   <Files .svn>
      Order deny, allow
      Deny from all
   </Files>
<Directory>

[snip]

>Can anybody suggest any other options? Thanks!
>
>

Run Apache as a different user; the .svn/auth directory is readable only
by the owner, so all you have to do is make sure that the user Apache is
running as is not the owner of the working copy files.

-- 
Brane Čibej   <brane_at_xbc.nu>   http://www.xbc.nu/brane/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Jan 7 17:23:37 2003

This is an archived mail posted to the Subversion Dev mailing list.