[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authz and hiding directories that have read access disabled.

From: Jon Scott Stevens <jon_at_latchkey.com>
Date: 2006-03-22 23:13:40 CET

What if I want to change the behavior of the source code (or allow an
option to do that)?

Which files should I be looking in? I'm not a C expert (more Java/
PHP)... I dug around in repos.c and mod_authz_svn.c, but I'm not
really finding the right places...

thx,

jon

On Mar 21, 2006, at 9:45 AM, Lieven Govaerts wrote:

> Path-based authz is modeled after Unix folder restrictions. A path on
> which you don't have read-access is still visible, that's correct
> behaviour.
>
> I'd then consider the behaviour in Trac a bug, or atleast very
> confusing.
>
> If you want to hide folders, just add an extra read-only folder in
> between.
>
> Lieven.
>
>> -----Original Message-----
>> From: Jon Scott Stevens [mailto:jon@latchkey.com]
>> Sent: dinsdag 21 maart 2006 18:17
>> To: Subversion Users
>> Subject: Fwd: authz and hiding directories that have read
>> access disabled.
>>
>> Trying once more. Didn't get a response last time. Maybe I
>> need to phrase the issue differently?
>>
>> Read the FAQ. Searched the bug database. Nothing I have seen
>> covers this.
>>
>> jon
>>
>> Begin forwarded message:
>>
>>> From: Jon Scott Stevens <jon@latchkey.com>
>>> Date: March 16, 2006 6:43:02 PM PST
>>> To: Subversion Users <users@subversion.tigris.org>
>>> Subject: authz and hiding directories that have read access
>> disabled.
>>>
>>> I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5.
>> Here's my
>>> authz:
>>>
>>> [groups]
>>> admin = jon
>>>
>>> [/]
>>> * = r
>>> @admin = rw
>>>
>>> [/acl]
>>> * =
>>> @admin = rw
>>>
>>> I would expect that when I browse the repo via my http web browser
>>> (not authenticated), that the /acl directory would not even
>> get listed
>>> in the output (because of the '* ='), but it does. Note,
>> when I try to
>>> view the repo, I am properly asked for auth information.
>>>
>>> I kind of consider this a minor security hole in that svn
>> is exposing
>>> the name of a directory which really should not be
>> available publicly.
>>> Security through obscurity!
>>>
>>> By the way, when I browse the same repo using my install of
>> the latest
>>> version of Trac, it's smart enough to not list the /acl directory
>>> until I authenticate as jon.
>>>
>>> thanks,
>>>
>>> jon
>>>
>>>
>>>
>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>>> For additional commands, e-mail: users-help@subversion.tigris.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Mar 22 23:15:37 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.