[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Per-Directory Access Control without AuthzSVNAccessFile ?

From: Maurer, Hermann <Hermann.Maurer_at_gft.com>
Date: 2005-05-25 18:33:55 CEST

Hello folks,

I'm having the following problem:

There is a repository with the standard structure:

| | |

In TRUNK there are some directories for the developers (D) and for the
project managers (PM). All the users have access to REPO via Apache
HTTPD 2.0 with dav_svn_module and authz_svn_module aktivated.

Due to a security reason only PM must be able to get access to the
directory DIR1 in TRUNK, D must not be able to read/see the content of

At the moment, the following block in the httpd.conf is responsible for
the repository:
<Location /projects/REPO>
    DAV svn
    SVNPath /data/svn/projects/REPO
    allow from all
    AuthName "Access to the repository REPO"
    AuthLDAPEnabled on
    AuthLDAPURL "ldap://host.domain/dc=company,dc=com?cn?sub?"
    require group CN=svn_REPO,OU=groups,OU=city,DC=company,DC=com
    AuthzSVNAccessFile /data/svn/projects/REPO_access.conf
As you can see, the users must supply there credentials and be a member
of the LDAP Group svn_REPO to be able to access to REPO.

This is the content of the file /data/svn/projects/REPO_access.conf:
team = user1,user2,user3,user4,user5,.....,user21
manager = pm1,pm2

@team = rw

@team =
@manager = rw
@team =
@manager = rw
@team =
@manager = rw

@team = rw
@manager = rw

I wouldn't like to use the directive AuthzSVNAccessFile, as I must then
keep the list of the members of both of the groups exactly the same: in
the LDAP directory AND in the file REPO_access.conf.

The anonymous access is not for us: If I use '* = r' in the file
REPO_access.conf, EVERY user can get access to REPO (not to DIR1) ! So
in the case I must not be a member of the LDAP Group svn_REPO :-( I
think, the directive AuthzSVNAccessFile has a 'higher priority' as the
directive Require.

____How should I restrict the access to DIR1 correctly and, if possible,

without AuthzSVNAccessFile ?____

The second problem is the following:
Let's assume, a PM decides to create a new branche and saves this in
BRANCHES. This would result, that I'd need to build a new rule to deny
access to the 'copied' content of DIR1 in BRANCHES ! Otherwise D can
suddenly get access to DIR1 under BRANCHES. The same would happen with
TAGS. Unforutnately there is no chance to use patterns in
REPO_access.conf now. Due to the reason I have to forbid the full access
of @team to BRANCHES and TAGS :-(
@team =
@manager = rw
But this is painful. Has anybody had and solved the problem ?

Thank you very much in advance !

Kind Regards,
Hermann Maurer

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed May 25 18:36:06 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.