[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

restricting anon access, allowing per-user access (apache, authzsvn)

From: <mark.bergman_at_uphs.upenn.edu>
Date: 2006-12-06 20:09:07 CET


I'm new to administering svn, and I'm trying to set up private repositories
for each user in our lab. The repository structure is fine, and apache is
working correctly, but the authzsvn syntax seems to be causing me trouble.

I can configure read-only access for everyone (after they have authenticated to
apache), and limiting each repository to having write-permission only for the
owner also works. I cannot find a way to prevent read access for authenticated
users for every repository, and restrict their access to just specific

Environment: Linux (Centos 4)
                SVN 1.3.2

Apache svn.conf:
        LoadModule dav_svn_module modules/mod_dav_svn.so
        LoadModule authz_svn_module modules/mod_authz_svn.so

        <Location /users/>
                DAV svn
                SVNParentPath /var/www/svn-users

                AuthzSVNAccessFile /var/www/svn-users/authzsvn.conf
                SVNListParentPath On

                <LimitExcept GET PROPFIND OPTIONS REPORT >
                        AuthType Basic
                        AuthName "Login"
                        PerlAuthenHandler Apache::AuthenNIS
                        Require valid-user
                        PerlSetVar AllowAlternateAuth no
                        Satisfy all
As far as I can tell, the apache part is working fine (no errors in the logs,
authentication against our NIS servers works correctly, etc.).

The problem seems to be with the authzsvn.conf syntax. I've tried several
variations on the authzsvn.conf file, but I cannot find a scheme where:

        an anonymous user cannot browse any files

        user "alice" can only browse files in the "alice" repository

        user "bob" can only browse the "bob" repository

Here's a chart showing the different authzsvn.conf settings, and whether
anonymous access or authenticated access worked. The order of the options
within a block doesn't make any difference.

For authenticated actions (check out and browsing), everything is from
the perspective of the user "bob".

I would like a configuration where (from bob's point of view):

                        Anon. browsing alice access bob access
                        "no" "no" "yes"

============ CASE 1 (no access for anyone) ==================================
authzsvn.con | Anon. browsing alice access bob access
============ | ============== ============== ===========
* = | No No No
[alice:/] |
alice = rw |
[bob:/] |
bob = rw |

=============== CASE 2 (no access for anyone) ===============================
authzsvn.con | Anon. browsing alice access bob access
============ | ============== ============== ==============
[/] |
* = r | No No No
[alice:/] |
alice = rw |
* = |
[bob:/] |
bob = rw |
* = |

================ CASE 3 (authenticated works OK, but too much read access) ==
authzsvn.con | Anon. browsing alice access bob access
============ | ============== ============== ==============
[/] |
* = r | Yes No Yes
                  | (bob only)
[alice:/] |
alice = rw |
* = |
[bob:/] |
bob = rw |

        CASE 1:
                first attempt...deny anonymous access to the root of the
                repositories...no access for anyone

        CASE 2: allow read access to the root, grant explicit permision to the
                named user who owns each repository, and explicitly deny
                anonymous access to each repository. The documentation seems
                to state that the most specific ACL rule should be
                predominant, but the "* =" rule seems to override access for
                the named user.

        CASE 3: Similar to CASE 2, but permitting anonymous read access to the
                root. This is the closest to the configuration I want, but I
                still want to deny the anonymous user the ability to browse
                Bob's repository.

Any suggestions?



Mark Bergman                      mark.bergman@uphs.upenn.edu
System Administrator
Section of Biomedical Image Analysis             215-662-7310
Department of Radiology,           University of Pennsylvania
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Dec 6 20:46:58 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.