[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Re: passwd file permissions with svn+ssh

From: Kristian Kauper <kkauper_at_au.yahoo-inc.com>
Date: Thu, 01 May 2008 09:53:45 +1000

Wow, I never expected such a quick resolution. Thanks everyone for
helping with this.

> Committed r30868 and nominated for backport.

I assume that this means it won't necessarily get into a 1.4.x line, but
if it does, will it be part of 1.4.7? (Unfortunately, I don't control
our binary packages, so I have to request a new build.)

Thanks again.

Daniel Shahaf wrote:
> Daniel Shahaf wrote on Wed, 30 Apr 2008 at 22:21 +0300:
>> Greg Hudson wrote on Wed, 30 Apr 2008 at 15:11 -0400:
>>> That looks fine, but I would add a comment.
>> I'll add a comment, run 'make check' and commit.
>>
>
> Committed r30868 and nominated for backport.
>
> Thanks,
>
> Daniel
>
>> Thanks Greg,
>>
>> Daniel
>>
>>> (Actually, I'm not sure why SVN_ERR_BAD_FILENAME is being ignored
>>> either.)
>>>
>>> Daniel Shahaf wrote:
>>>> [ Kristian, since you said you wouldn't have time, I went ahead and looked
>>>> into this. ]
>>>>
>>>> Greg Hudson wrote on Tue, 29 Apr 2008 at 11:27 -0400:
>>>>
>>>>> On Tue, 2008-04-29 at 17:55 +1000, Kristian Kauper wrote:
>>>>>
>>>>>> I just don't get why this is an issue in the first place. Why does the
>>>>>> code need to read the passwd file if a user has already authenticated
>>>>>> via SSH? I thought that was the point of the SSH access method.
>>>>>>
>>>>> I agree with Kristian here, and this is probably an oversight on my part
>>>>> when I wrote the code (although it's been a while). If the passwd file
>>>>> is unreadable, svnserve should just fail to authenticate anyone with
>>>>> passwords, so that the same repository can be used with svn+ssh and
>>>>> svnserve.
>>>>>
>>>> Does this change look correct?
>>>>
>>>> Index: subversion/svnserve/serve.c
>>>> ===================================================================
>>>> --- subversion/svnserve/serve.c (revision 30863)
>>>> +++ subversion/svnserve/serve.c (working copy)
>>>> @@ -236,7 +236,9 @@ svn_error_t *load_configs(svn_config_t **cfg,
>>>> if (server)
>>>> /* Called by listening server; log error no matter what it is.
>>>> */
>>>> log_server_error(err, server, conn, pool);
>>>> - if (err->apr_err != SVN_ERR_BAD_FILENAME)
>>>> +
>>>> + if (err->apr_err != SVN_ERR_BAD_FILENAME
>>>> + && ! APR_STATUS_IS_EACCES(err->apr_err))
>>>> {
>>>> if (server)
>>>> {
>>>>
>>>> Here is the effect. In the examples, svnserve is run in --tunnel mode.
>>>>
>>>> 0:% chmod 0 repos/conf/passwd
>>>> 0:% grep anon-access repos/conf/svnserve.conf
>>>> anon-access = write
>>>>
>>>> # current trunk
>>>> 0:% svn co svn+trunk://`pwd`/repos wc
>>>> subversion/svnserve/serve.c:248: (apr_err=215004)
>>>> svn: Authentication failed
>>>>
>>>> # with the patch
>>>> 0:% svn co svn+patched://`pwd`/repos wc | tail -1
>>>> Checked out revision 1.
>>>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-01 18:26:43 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.