Hi svn users:
I am having trouble getting an ACL rules file to work the way I need it to.
Perhaps there is something basic I am not understanding ..
I'd appreciate your reviw of what I am trying to do and what I may be doing
wrong.
Here's the scenario:
Repo: https://mls3:8043/acl2
In httpd.conf:
...
# acl2 with acl turned on
<Location /acl2>
DAV svn
SVNPath /svn/acl2
# Our access control policy
AuthzSVNAccessFile /m/mls/httpd/mls3/acl2.acl
# Only authenticated users may acces the rpository
Require valid-user
# How to authenticate a user
AuthType Basic
AuthName "LPDEV username and password"
AuthUserFile /d1/mls-etc/passwd
</Location>
...
Contents of /m/mls/httpd/mls3/acl2.acl:
[/foo/1.1/next/wip]
tnoell = r
pkg-lib = rw
[/foo/1.1/next/wip/bb]
tnoell = r
pkg-lib = rw
[/foo/1.1/next/wip/src]
tnoell =
pkg-lib = rw
So, I want user tnoell to be able to read /foo/1.1/next/wip and
/foo/1.1/next/wip/bb, but not /foo/1.1/next/wip/src
As user tnoell:
galaxy 0 tmp% whoami
tnoell
If I try to checkout /foo/1.1/next/wip/src I get the expected "403
Forbidden" error:
galaxy 0 tmp% svn co https://mls3:8043/acl2/foo/1.1/next/wip/src foo_src
svn: PROPFIND request failed on '/acl2/foo/1.1/next/wip/src'
svn: PROPFIND of '/acl2/foo/1.1/next/wip/src': 403 Forbidden (
https://mls3:8043)
So far, so good.
BUT, when I check out the wip dir svn happily delivers the src subdir, to
which tnoell should not have access:
galaxy 1 tmp% svn co https://mls3:8043/acl2/foo/1.1/next/wip foo
A foo/bb
A foo/bb/foo.bb
A foo/src
A foo/src/foo.c
Checked out revision 4.
So tnoell can't get wip/src directly, but can get wip which contains src,
and therefore can get src.
The book (v1.4) says:
"The thing to remember is that the most specific path always matches first.
The server tries to match the path itself, and then the parent of the path,
then the parent of that, and so on. The net effect is that mentioning a
specific path in the accessfile will always override any permissions
inherited from parent directories."
But clearly, in this case, the more specific path does not rule, and tnoell
gets wip/src by getting wip which contains src.
We really need the dir structure
wip
wip/bb
wip/src
if at all possible. So, is there any way to get this to work?
Other possibly pertinent info:
I am running svn 1.4.3 for both the client and server. apache is 2.0.59.
Server OS is FreeBSD 5.4
client OS is Red Hat RHEL3
Thanks in advance for any light you can shine,
Tim Noell
--
// "Only dead fish go with the flow"
Received on Thu Apr 5 21:54:59 2007