[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Problem with new directory-level authz authorization with svnserve

From: Fyodor <fyodor_at_insecure.org>
Date: 2006-05-05 08:13:15 CEST

First, thanks for adding directory-level access control to svnserve.
That is a feature I have desired for years! Unfortunately, it does
not seem to work in the way I expect. I am using SVN 1.3.1 on Fedora
Core 5. Here is a simple authz file which demonstrates the issue:

# Deny by default
[/]
* =

# Allow everyone full access to /scratch
[/scratch]
* = rw

The idea here is to deny all access by default, then explicitly grant
users access to the directories they are specifically authorized for.
But when I run svnserve with the authz above, I find that users are
able to check out from /scratch and perform other read-only commands.
But write attempts fail as so:

> svn commit -m "just a test" testfile
Adding testfile
Transmitting file data .svn: Commit failed (details follow):
svn: Access denied

I haven't looked to deeply into the code, but the access denial seems
to be triggered at line 148 of libsvn_repos/commit.c:

      SVN_ERR (editor_baton->authz_callback (required, &allowed, root,
      path, editor_baton->authz_baton, pool));
      if (!allowed)
        return svn_error_create(required & svn_authz_write ?
                                SVN_ERR_AUTHZ_UNWRITABLE :
                                SVN_ERR_AUTHZ_UNREADABLE,
                                NULL, "Access denied");

Writing to the /scratch directory suddenly starts to work if I change my authz
to allow read access to the root directory as in this version:

[/]
* = r

# Allow full access to /scratch
[/scratch]
* = rw

I don't know if this is expected behavior or a bug, but it seems
unintuitive that read access to the parent directory is needed in
order to give RW to a sub directory. And it seems to conflict with
the SVN book's documentation of the authz syntax. I'd love to see a
fix which enables us to use default deny of all access to [/], but
still allow targeted writes of specified directories for specified
users.

Thanks,
Fyodor
http://www.insecure.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri May 5 10:48:37 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.