[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVNPathAuthz and 1.1.1

From: Mark Phippard <MarkP_at_softlanding.com>
Date: 2004-11-05 22:35:25 CET

Ben Collins-Sussman <sussman@collab.net> wrote on 11/05/2004 03:48:27 PM:

> >> 'SVNPathAuthz off' will completely disable all path-based authz
> >> checking. It prevents apache from doing GET subrequests to check the
> >> readability of specific repository paths.
> >
> > Thanks. What I do not get is why this is needed. Don't you have to
> > explicitly turn authz on anyway? What is the point of turning it on
> > and
> > off?
>
> mod_dav_svn has no idea if any authorization modules are loaded or not.
> So it's *always* doing GET subrequests on changed-paths, to verify
> whether a revision is wholly readable or not. Even if you have no
> authorization module loaded at all, the subrequests are still
> happening. Maybe they invoke an authorization module, maybe not.
>
> The effect of the security fixes is: mod_dav_svn does a lot more GET
> subrequests than it used to, especially on 'svn log' operations. It's
> a matter of authz correctness.
>
> So, even if you have no authorization module loaded at all, 'svn log'
> is now slower with the security fixes.
>
> The effect of "SVNPathAuthz off" is to disable GET subrequests
> completely, thus regaining speed, but abandoning all hope of authz.

OK, I just tried this and it seems to do what I want.

If I add this directive to my configuration file, people still cannot
browse, checkout or commit to the repository if I have them restricted in
mod_authz. But, for those that are authorized, the log command is now
blisteringly fast.

Am I missing something? Perhaps it is because I am only using
"repository-root" permissions?

Mark

_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs.
_____________________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Nov 5 22:36:00 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.