[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Restricting access rights in AuthzSVNAccessFile

From: Dassi, Nasser <NDassi_at_141xm.com>
Date: 2005-01-26 19:29:45 CET

Security (ACLs) typically run in the "path-of-least-resistence" fashion.

Tom and John are anonymous until authenticated. Once authenticated,
they have as much access as possible with the least
challenge/resistence.

In Example 1, everybody is granted Read access (path of least
resistence).

In Example 2, nobody has Read access until otherwise granted (via
@allusers group).

Hope that helps understand security/permissions (and this applies
everywhere).

- nasser

Nasser Dassi
Sr. Technical Programmer
=========================================
E: ndassi@141xm.com
=========================================

-----Original Message-----
From: Nicolas Guerin [mailto:Nicolas.Guerin@xrce.xerox.com]
Sent: Wednesday, January 26, 2005 1:10 PM
To: users@subversion.tigris.org
Subject: Restricting access rights in AuthzSVNAccessFile

Hi,

I need to allow read access to a SVN repository to any authenticated
user but a few.
Since we're using mod_authz_svn for fine grained user access, I put in
place this simple AuthzSVNAccessFile access file:

   [groups]
   restricted = tom,john

   [/]
   * = r
   @restricted =

I hoped that read access would be granted to all but the 'restricted'
group.
Unfortunately, it is not the case: tom and john can still checkout the
repository.

I also tried listing individual users instead of a group, but it didn't
help.

The only workaround I see is to list ALL users (around 3000!) in a
group, and:

   [/]
   * =
   @allusers = r

But I think that SVN performance would suffer...
BTW, I'm using SVN 1.0.6 with https access.

Any idea why the first example does not work?
All suggestions welcome.
Thank you for your help!

Nicolas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jan 26 19:33:27 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.