Fyodor,
at first sight, you're encountering issue 2486:
http://subversion.tigris.org/issues/show_bug.cgi?id=2486 .
This issue has been solved and the solution will be included in svn 1.3.2.
regards,
Lieven.
Quoting Fyodor <fyodor@insecure.org>:
> First, thanks for adding directory-level access control to svnserve.
> That is a feature I have desired for years! Unfortunately, it does
> not seem to work in the way I expect. I am using SVN 1.3.1 on Fedora
> Core 5. Here is a simple authz file which demonstrates the issue:
>
> # Deny by default
> [/]
> * =
>
> # Allow everyone full access to /scratch
> [/scratch]
> * = rw
>
> The idea here is to deny all access by default, then explicitly grant
> users access to the directories they are specifically authorized for.
> But when I run svnserve with the authz above, I find that users are
> able to check out from /scratch and perform other read-only commands.
> But write attempts fail as so:
>
> > svn commit -m "just a test" testfile
> Adding testfile
> Transmitting file data .svn: Commit failed (details follow):
> svn: Access denied
>
> I haven't looked to deeply into the code, but the access denial seems
> to be triggered at line 148 of libsvn_repos/commit.c:
>
> SVN_ERR (editor_baton->authz_callback (required, &allowed, root,
> path, editor_baton->authz_baton, pool));
> if (!allowed)
> return svn_error_create(required & svn_authz_write ?
> SVN_ERR_AUTHZ_UNWRITABLE :
> SVN_ERR_AUTHZ_UNREADABLE,
> NULL, "Access denied");
>
> Writing to the /scratch directory suddenly starts to work if I change my
> authz
> to allow read access to the root directory as in this version:
>
> [/]
> * = r
>
> # Allow full access to /scratch
> [/scratch]
> * = rw
>
> I don't know if this is expected behavior or a bug, but it seems
> unintuitive that read access to the parent directory is needed in
> order to give RW to a sub directory. And it seems to conflict with
> the SVN book's documentation of the authz syntax. I'd love to see a
> fix which enables us to use default deny of all access to [/], but
> still allow targeted writes of specified directories for specified
> users.
>
>
> Thanks,
> Fyodor
> http://www.insecure.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri May 5 11:08:01 2006