[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Re: passwd file permissions with svn+ssh

From: Daniel Shahaf <d.s_at_daniel.shahaf.co.il>
Date: Wed, 30 Apr 2008 22:04:14 +0300 (IDT)

[ Kristian, since you said you wouldn't have time, I went ahead and looked
into this. ]

Greg Hudson wrote on Tue, 29 Apr 2008 at 11:27 -0400:
> On Tue, 2008-04-29 at 17:55 +1000, Kristian Kauper wrote:
> > I just don't get why this is an issue in the first place. Why does the
> > code need to read the passwd file if a user has already authenticated
> > via SSH? I thought that was the point of the SSH access method.
> I agree with Kristian here, and this is probably an oversight on my part
> when I wrote the code (although it's been a while). If the passwd file
> is unreadable, svnserve should just fail to authenticate anyone with
> passwords, so that the same repository can be used with svn+ssh and
> svnserve.

Does this change look correct?

Index: subversion/svnserve/serve.c
--- subversion/svnserve/serve.c (revision 30863)
+++ subversion/svnserve/serve.c (working copy)
@@ -236,7 +236,9 @@ svn_error_t *load_configs(svn_config_t **cfg,
           if (server)
             /* Called by listening server; log error no matter what it is. */
             log_server_error(err, server, conn, pool);
- if (err->apr_err != SVN_ERR_BAD_FILENAME)
+ if (err->apr_err != SVN_ERR_BAD_FILENAME
+ && ! APR_STATUS_IS_EACCES(err->apr_err))
               if (server)

Here is the effect. In the examples, svnserve is run in --tunnel mode.

        0:% chmod 0 repos/conf/passwd
        0:% grep anon-access repos/conf/svnserve.conf
        anon-access = write

        # current trunk
        0:% svn co svn+trunk://`pwd`/repos wc
        subversion/svnserve/serve.c:248: (apr_err=215004)
        svn: Authentication failed

        # with the patch
        0:% svn co svn+patched://`pwd`/repos wc | tail -1
        Checked out revision 1.

To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-30 21:04:38 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.