[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Local repository problems

From: Andrew Arnott <andrewarnott_at_gmail.com>
Date: 2004-10-29 15:35:42 CEST

> First of all, there doesn't seem to be any way to restrict read access.
> Basically if you can read the db you have read access to the whole
> repository. I realise I'd have to run svn setuid for anything else to
> work, but am I missing something or is this not implemented yet?

Absolutely there is! If you want to grant read access to just certain
directories in the repository, you can use AuthzSVNAccessFile within
Apache. From the book:
http://svnbook.red-bean.com/svnbook-1.0/ch06s04.html#svn-ch-6-sect-4.4.2

"It's possible to set up finer-grained permissions using a second
Apache httpd module, mod_authz_svn. This module grabs the various
opaque URLs passing from client to server, asks mod_dav_svn to decode
them, and then possibly vetoes requests based on access policies
defined in a configuration file."

Read more from that URL to find out how it works.

> Second svn honors the --username when accessing the repository. I like
> that, but there seems to be no way to check the password? As it
> currently stands, it seems you can impersonate anyone using this.

Have you even set passwords for your users? Hmm.. Maybe you have, but
the module is set up wrong. If you go through Apache, the
authentication can be run through that. If the configuration is
right, it won't let you freely impersonate without a password.

> Should I setup apache even for local access? (currently only running
> apache 1.3 so will be some work).

Local as in just one machine is all that's using the repository?
Hmmm... Maybe Apache is overkill. But then, I've never configured
Subversion to work with authentication without using Apache. So maybe
you'll need it.

Andrew Arnott
Web Developer
Brigham Young University

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Oct 29 15:36:28 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.