[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Problem with SVN & Windows

From: Michael Hertling <hertling_at_ikp.tu-darmstadt.de>
Date: 2006-02-25 21:56:55 CET

On Sat, 25 Feb 2006, Lieven Govaerts wrote:

> The correct syntax would be ( example access rights )
>
> [groups]
> theMasters = user1
> admins = admin1, admin2
>
> [/] # <- root folder of your repository
> * = r
> @admins = rw
>
> [/da] # da subfolder in your repository
> @theMasters = rw

[...]

> If you want to specify access per folders with the authz file, put this in
> your svnserve.conf:
>
> anon-access = none
> auth-access = write
>
> You cannot use anonymous access when using authz! [...]

Hi Lieven, hi everybody,

does this mean there's no way to operate anonymously on a repository for
which the authz-db directive is set in svnserve.conf? The release notes
for Subversion 1.3 states under "Path-based authorization for svnserve":

'[...] In order to access a path, both the "blanket" directives and
per-path authz file must allow access.'

For this reason, your suggestion '* = r' for [/] in authz should be
without any effect when 'anon-access=none' in svnserve.conf forbids
anonymous access in general.

This aspect is rather interesting for me, but I don't fully understand
it. Particularly the combination of access rules in svnserve.conf and
the authz file seems somewhat obscure to me. E.g., I can observe the
following cases with an account having full read/write access to a
repository's root:

(1) '* = r' for [/] in authz and 'anon-access=none' in svnserve.conf:
     --> Challenge for authentication and subsequent checkout.

(2) Nothing for [/] in authz and 'anon-access=none' in svnserve.conf:
     --> Challenge for authentication and subsequent checkout.

(3) '* = r' for [/] in authz and 'anon-access=read' in svnserve.conf:
     --> Anonymous checkout leaving out paths with '* = ' in effect.
         The user wasn't authenticated at the repository afore.

(4) Nothing for [/] in authz and 'anon-access=read' in svnserve.conf:
     --> Challenge for authentication and failure with the line:
         "svn: Not authorized to open root of edit operation"

To me, cases (1-3) seem to be absolutely correct, but case (4) - imho -
reveals erroneous behaviour: Even if anonymous access is prohibited by
the default effect of the authz file, i.e. no access at all, svnserve
should be able to perform the requested checkout when it receives a
valid authentication. Moreover, svn leaves an empty working directory
with just the .svn subdirectory in it; normally, it doesn't do that if
an authentication simply fails.

> [..] You have to give users
> read rights on the root of your repository of you want to allow them write
> access somewhere deeper in the repository ( bug in svnserve 1.3 )!

Is that bug perhaps related to the behaviour mentioned above? The user
in case (4) has full access to the whole repository, and the failure
already appears at the checkout, i.e. reading stage.

Any clarifications will be greatly appreciated, thanks in advance.

Regards,

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Feb 25 21:58:49 2006

This is an archived mail posted to the Subversion Users mailing list.