[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserver authz rule precedence bug?

From: Martin Furter <mf_at_rola.ch>
Date: Thu, 22 Jan 2009 12:34:29 +0100 (CET)

On Wed, 21 Jan 2009, ycdtosa wrote:

> Hi. Im having a problem with svnserve and the authz file,
> that seems to me like a *bug* on subversion (svnserve) or the
> documentation (subversion book)
>
> svnserver authz rule precedence not working as expected / documented
>
> So, w/o further ado here i sthe simpler version i could figure out.
>
> I wanted to allow read-only access to my repo to an authenticated user,
> and read-write access to anyone else, so i got the following files:
>
> * svnserve.conf: (disallow anonymous)
>
> [general]
> anon-access = none
> auth-access = write
> password-db = passwd
> authz-db = authz
> realm = My First Repository
>
>
>
> * passwd: (a few users)
>
> [users]
> harry = harryssecret
> sally = sallyssecret
>
>
> * authz: (give harry read access, and rw to everybody else)
>
> [/]
> harry = r
> $authenticated = rw
>
>
> And that is it.
>
> The problem is that with this configuration "harry" gets "rw" permisions,
> even if to my understanding it shouldn't since on chp6 of the book it reads...
>
> "Another important fact is that the first matching rule is the one
> which gets applied to a user.
> In the prior example, even though Jane is a member of the
> paint-developers group (which has read/write access),
> the jane = r rule will be discovered and matched before the group
> rule, thus denying Jane write access."
>
> where the "prior example" was this:
>
> [paint:/projects/paint]
> jane = r
> @paint-developers = rw
>
>
> Also, googling for a solution i've found this post
> [http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html]
>
> were C. Michael (Mike) Pilato wrote:
> "But what about your authenticated would-be writers? Ah, therein
> lies the rub!
> *There are no authenticated users. * Since anonymous users can
> checkout the tree,
> Apache never bothers to query you for authentication credentials.
> And you can't force Subversion to transmit authentication
> credentials when Apache hasn't asked for them."
>
> Which *is not the case* since anonymous access already disabled, thus
> the svnserver ( not apache here, but i think that is unrelated here )
> *does* always require authentification.
>
> This might be a follow up of this thread:
> [http://osdir.com/ml/version-control.subversion.book/2008-06/msg00101.html]
>
> but i could not find any follow up
>
> Thanks.
>
> BTW: i'm working with svnserve 1.5.1 (r32289) which is not the latest.
>
> Also, i got a workaround for this, using something like this,
> but still the issue about rule precedence is there.
>
> [/]
> harry = r
> ~harry = rw

I guess you fell over one of the good old config bugs (or maybe
documentation bug ;).
AFAIK the config entries are stored in a hash table to get fast access to
them when searching for a specific entry. But authz reads all entries of a
section and checks them. If it matches it stops. But the order in which
the hash table lists the entries is not the order as they are in the
config file. And even worse, if you add, remove or rename an entry it can
change the order of the entries (and break your workaround).
So you should write your rules in a way that they can't conflict.

HTH
Martin

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=1043115
Received on 2009-01-22 12:35:06 CET

This is an archived mail posted to the Subversion Dev mailing list.