[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: authz and hiding directories that have read access disabled.

From: Lieven Govaerts <lgo_at_mobsol.be>
Date: 2006-03-21 18:45:17 CET

Path-based authz is modeled after Unix folder restrictions. A path on
which you don't have read-access is still visible, that's correct
behaviour.

I'd then consider the behaviour in Trac a bug, or atleast very confusing.

If you want to hide folders, just add an extra read-only folder in
between.

Lieven.

> -----Original Message-----
> From: Jon Scott Stevens [mailto:jon@latchkey.com]
> Sent: dinsdag 21 maart 2006 18:17
> To: Subversion Users
> Subject: Fwd: authz and hiding directories that have read
> access disabled.
>
> Trying once more. Didn't get a response last time. Maybe I
> need to phrase the issue differently?
>
> Read the FAQ. Searched the bug database. Nothing I have seen
> covers this.
>
> jon
>
> Begin forwarded message:
>
> > From: Jon Scott Stevens <jon@latchkey.com>
> > Date: March 16, 2006 6:43:02 PM PST
> > To: Subversion Users <users@subversion.tigris.org>
> > Subject: authz and hiding directories that have read access
> disabled.
> >
> > I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5.
> Here's my
> > authz:
> >
> > [groups]
> > admin = jon
> >
> > [/]
> > * = r
> > @admin = rw
> >
> > [/acl]
> > * =
> > @admin = rw
> >
> > I would expect that when I browse the repo via my http web browser
> > (not authenticated), that the /acl directory would not even
> get listed
> > in the output (because of the '* ='), but it does. Note,
> when I try to
> > view the repo, I am properly asked for auth information.
> >
> > I kind of consider this a minor security hole in that svn
> is exposing
> > the name of a directory which really should not be
> available publicly.
> > Security through obscurity!
> >
> > By the way, when I browse the same repo using my install of
> the latest
> > version of Trac, it's smart enough to not list the /acl directory
> > until I authenticate as jon.
> >
> > thanks,
> >
> > jon
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 21 18:49:51 2006

This is an archived mail posted to the Subversion Users mailing list.