>An example svnserve.conf might look like this:
>
> [general]
> # Default to read access for both authenticated and unauthenticated
> # users.
> anon-access = read
> auth-access = read
> password-db = /svn/conf/global-passwd
>
> [auth]
> # Let athomas have write access to the repository.
> athomas = write
> # Deny gchristian access to the repository.
> gchristian = none
>
>
Just a quick thought here. It's pretty neat to have such a feature, but
I have some security issues. If somehow, somebody is able to steal
svnserve.conf, he'll see only the server configuration and the location
on password-db, but won't see any username or password. With this patch,
he'll be able to see an username and try to access the repository by
guessing it's password (we're talking about the case anon-access = none
and auth-access = write). Is it possible to move the [auth] part in the
password-db file?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Sep 4 20:57:25 2004