[ Kristian, since you said you wouldn't have time, I went ahead and looked
into this. ]
Greg Hudson wrote on Tue, 29 Apr 2008 at 11:27 -0400:
> On Tue, 2008-04-29 at 17:55 +1000, Kristian Kauper wrote:
> > I just don't get why this is an issue in the first place. Why does the
> > code need to read the passwd file if a user has already authenticated
> > via SSH? I thought that was the point of the SSH access method.
>
> I agree with Kristian here, and this is probably an oversight on my part
> when I wrote the code (although it's been a while). If the passwd file
> is unreadable, svnserve should just fail to authenticate anyone with
> passwords, so that the same repository can be used with svn+ssh and
> svnserve.
Does this change look correct?
Index: subversion/svnserve/serve.c
===================================================================
--- subversion/svnserve/serve.c (revision 30863)
+++ subversion/svnserve/serve.c (working copy)
@@ -236,7 +236,9 @@ svn_error_t *load_configs(svn_config_t **cfg,
if (server)
/* Called by listening server; log error no matter what it is. */
log_server_error(err, server, conn, pool);
- if (err->apr_err != SVN_ERR_BAD_FILENAME)
+
+ if (err->apr_err != SVN_ERR_BAD_FILENAME
+ && ! APR_STATUS_IS_EACCES(err->apr_err))
{
if (server)
{
Here is the effect. In the examples, svnserve is run in --tunnel mode.
0:% chmod 0 repos/conf/passwd
0:% grep anon-access repos/conf/svnserve.conf
anon-access = write
# current trunk
0:% svn co svn+trunk://`pwd`/repos wc
subversion/svnserve/serve.c:248: (apr_err=215004)
svn: Authentication failed
# with the patch
0:% svn co svn+patched://`pwd`/repos wc | tail -1
Checked out revision 1.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-04-30 21:04:38 CEST