I have encountered what seems to be a bug in the svnserve directory
authorization (authz) system. It has been reported on this mailing
list before over the last year (example: [1]), but I wasn't able to
find a corresponding issue tracker entry, and the problem still seems
to exist in 1.4.2 (I upgraded both the server and my client).
To demonstrate the problem, here is a sample authz file:
[/]
fyodor = rw
* =
The corresponding svnserve.com includes:
anon-access = read
auth-access = write
Given this configuration, 'fyodor' should be able to and can list the
/nmap directory:
flog> svn ls svn://svn.insecure.org/nmap
CHANGELOG
COPYING
COPYING.OpenSSL
FingerPrintResults.cc
[...]
But when I try to check out '/nmap' as 'fyodor', I get:
flog>svn co svn://svn.insecure.org/nmap/
svn: Not authorized to open root of edit operation
That is strange, since fyodor is supposed to have 'rw' on [/]. Also,
fyodor can individually read the files with commands like "svn cat
svn://svn.insecure.org/nmap/CHANGELOG". It is just the 'co' command
which is refusing access for some reason.
Specifying the username 'fyodor' explicitly on the checkout line doesn't help:
flog> svn co --username fyodor svn://svn.insecure.org/nmap/
svn: Not authorized to open root of edit operation
Yet the following to workarounds do "fix" the problem:
1) If I change "anon-access = read" to "anon-access = none" in
svnserve.conf , suddenly user fyodor can check out the directory. But
this is no good, since I want to give anonymous users access to some
directories, while keeping others private for certain authorized
users.
2) If I change "* =" to "* = r", giving anonymous (and other
non-Fyodor) users read access to the whole repository by default,
fyodor can check out the directory, even if the directory entry
itself blocks anonymous users (while granting fyodor explicit
permission). But this is undesirable, since it then means we have
to remember to explicitly block anonymous users from all private
directories. It is much more secure to deny by default, and
explicitly add access where needed.
It seems like svnserve (or maybe the client) is treating my access as
anonymous rather than noting fyodor's access rights to /nmap/. Do you
agree that this is a bug? Have any ideas for fixing it?
Don't use svn.insecure.org to test this problem, since I just
reconfigured it briefly for these tests. Now I'm returning the old
configuration so other developers can access it again.
Thanks,
Fyodor
[1] http://svn.haxx.se/users/archive-2006-02/0924.shtml
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Dec 23 23:29:04 2006