Thanks, Mathias. I think there is a workaround for this, but I can't
remember it. However, this question comes up often enough that we
should find out and add it to the FAQ.
I'm CC'ing the dev@ list so we can find that workaround, and then write
the FAQ entry.
-Karl
Mathias Kende <mathias_at_kende.fr> writes:
> This is a report of something that is not really a bug (because the
> software behave as expected), but is a design problem of the new 1.5
> keywords ($anonymous and &authenticated) for the authz file of svnserve.
> Which prevent to check out a repository with a private directory.
>
> The problem is that if a directory is readable by anybody but not one of
> its subdirectory then you can't check out the subdirectory.
>
> Step to reproduce :
>
> At the root of your svnserve create a new repos :
> svnadmin create test
> Uncomment one user in passwd (e.g. harry=harryssecret) and add the
> passwd file in the svnserve.conf file, wich is now :
> [general]
> anon-access = read
> auth-access = write
> password-db = passwd
>
>
> Then, import some files into it :
> svn co svn://localhost/test
> cd test
> mkdir public
> mkdir private
> touch public/foo
> touch private/bar
> svn add public private
> svn ci
>
> Add "authz-db = authz" in svnserve.conf and modify the authz file to
> something like :
>
> [aliases]
> [groups]
> [/]
> $anonymous = r
> $authenticated = rw
> [test:/private]
> $anonymous =
>
> And now, we try to check out some fresh copy of the repos.
> svn co svn://localhost/test
> and
> svn co --username harry --password harryssecret svn://localhost/test
> These two commands have the same result : only the "public" directory is
> checked out.
>
> My problem is that I know no proper way the check out the entire
> repository.
>
> The reason is that svnserve sees that no password is needed to read '/'
> so the password is not used (I don't know if the authentication is
> done), and the "private" directory can not be checked out.
>
> The solution is to c/o separately the other directory :
> cd test
> svn co svn://localhost/test/private
> Which will ask for the password if it has not been given in the previous
> step, and then, you need to modify "test/.svn/entries" and remove all
> the blank lines and the "absent" keyword under the name of the "private"
> directory for it to be recognised as part of the repos. But this is
> something that should not be done I suppose.
>
> The solution I see to this problem is that when svn sends a credential,
> svnserve should use it to authenticate the user even if it not needed,
> or, even better, when the checkout occurs, the server should ask for a
> password if some sub-directories need authentication (this is not a
> security issue I believe because in any case the name of the "private"
> directory is transmitted to the client as it is in the .svn/entries
> file).
>
> I hope that I was clear enough,
> thanks,
>
> Mathias
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
> For additional commands, e-mail: users-help_at_subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-09-22 23:41:44 CEST