restricting anon access, allowing per-user access (apache, authzsvn)

From: <mark.bergman_at_uphs.upenn.edu>
Date: 2006-12-06 20:09:07 CET

Hello,

I'm new to administering svn, and I'm trying to set up private repositories
for each user in our lab. The repository structure is fine, and apache is
working correctly, but the authzsvn syntax seems to be causing me trouble.

I can configure read-only access for everyone (after they have authenticated to
apache), and limiting each repository to having write-permission only for the
owner also works. I cannot find a way to prevent read access for authenticated
users for every repository, and restrict their access to just specific
respositories.

Environment: Linux (Centos 4)
SVN 1.3.2
Apache2.2.2

Apache svn.conf:
-----------------------------
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so

        <Location /users/>
                DAV svn
                SVNParentPath /var/www/svn-users

AuthzSVNAccessFile /var/www/svn-users/authzsvn.conf
SVNListParentPath On

                <LimitExcept GET PROPFIND OPTIONS REPORT >
                        SSLRequireSSL
                        AuthType Basic
                        AuthName "Login"
                        PerlAuthenHandler Apache::AuthenNIS
                        Require valid-user
                        PerlSetVar AllowAlternateAuth no
                        Satisfy all
                </LimitExcept>
        </Location>
---------------------------------------------
As far as I can tell, the apache part is working fine (no errors in the logs,
authentication against our NIS servers works correctly, etc.).

The problem seems to be with the authzsvn.conf syntax. I've tried several
variations on the authzsvn.conf file, but I cannot find a scheme where:

an anonymous user cannot browse any files

user "alice" can only browse files in the "alice" repository

user "bob" can only browse the "bob" repository

Here's a chart showing the different authzsvn.conf settings, and whether
anonymous access or authenticated access worked. The order of the options
within a block doesn't make any difference.

For authenticated actions (check out and browsing), everything is from
the perspective of the user "bob".

I would like a configuration where (from bob's point of view):

Anon. browsing alice access bob access
"no" "no" "yes"

=============== CASE 2 (no access for anyone) ===============================
authzsvn.con | Anon. browsing alice access bob access
============ | ============== ============== ==============
[/] |
* = r | No No No
|
[alice:/] |
alice = rw |
* = |
|
[bob:/] |
bob = rw |
* = |
-----------------------------------------------------------------

================ CASE 3 (authenticated works OK, but too much read access) ==
authzsvn.con | Anon. browsing alice access bob access
============ | ============== ============== ==============
[/] |
* = r | Yes No Yes
                  | (bob only)
                  |
[alice:/] |
alice = rw |
* = |
                  |
[bob:/] |
bob = rw |
-----------------------------------------------------------------

        CASE 1:
                first attempt...deny anonymous access to the root of the
                repositories...no access for anyone

        CASE 2: allow read access to the root, grant explicit permision to the
                named user who owns each repository, and explicitly deny
                anonymous access to each repository. The documentation seems
                to state that the most specific ACL rule should be
                predominant, but the "* =" rule seems to override access for
                the named user.

        CASE 3: Similar to CASE 2, but permitting anonymous read access to the
                root. This is the closest to the configuration I want, but I
                still want to deny the anonymous user the ability to browse
                Bob's repository.

Any suggestions?

Thanks,

Mark

----
Mark Bergman                      mark.bergman@uphs.upenn.edu
System Administrator
Section of Biomedical Image Analysis             215-662-7310
Department of Radiology,           University of Pennsylvania
http://pgpkeys.pca.dfn.de:11371/pks/lookup?search=mark.bergman%40.uphs.upenn.edu
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Wed Dec 6 20:46:58 2006

This message: [ Message body ]
Next message: Eric Hanchrow: "Re: How do I install the "svn" client and NOT the server?"
Previous message: Jon Koerber: "Re: How do I install the "svn" client and NOT the server?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]