[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Problem Understanding ACL Setup with a Directory Hierarchy

From: Tim Noell <tnoell_at_gmail.com>
Date: 2007-04-05 21:54:30 CEST

Hi svn users:

I am having trouble getting an ACL rules file to work the way I need it to.
Perhaps there is something basic I am not understanding ..

I'd appreciate your reviw of what I am trying to do and what I may be doing
wrong.

Here's the scenario:

Repo: https://mls3:8043/acl2

In httpd.conf:
...
# acl2 with acl turned on
<Location /acl2>
    DAV svn
    SVNPath /svn/acl2
    # Our access control policy
    AuthzSVNAccessFile /m/mls/httpd/mls3/acl2.acl
    # Only authenticated users may acces the rpository
    Require valid-user
    # How to authenticate a user
    AuthType Basic
    AuthName "LPDEV username and password"
    AuthUserFile /d1/mls-etc/passwd
</Location>
...

Contents of /m/mls/httpd/mls3/acl2.acl:
[/foo/1.1/next/wip]
tnoell = r
pkg-lib = rw

[/foo/1.1/next/wip/bb]
tnoell = r
pkg-lib = rw

[/foo/1.1/next/wip/src]
tnoell =
pkg-lib = rw

So, I want user tnoell to be able to read /foo/1.1/next/wip and
/foo/1.1/next/wip/bb, but not /foo/1.1/next/wip/src

As user tnoell:
galaxy 0 tmp% whoami
tnoell

If I try to checkout /foo/1.1/next/wip/src I get the expected "403
Forbidden" error:
galaxy 0 tmp% svn co https://mls3:8043/acl2/foo/1.1/next/wip/src foo_src
svn: PROPFIND request failed on '/acl2/foo/1.1/next/wip/src'
svn: PROPFIND of '/acl2/foo/1.1/next/wip/src': 403 Forbidden (
https://mls3:8043)

So far, so good.

BUT, when I check out the wip dir svn happily delivers the src subdir, to
which tnoell should not have access:
galaxy 1 tmp% svn co https://mls3:8043/acl2/foo/1.1/next/wip foo
A foo/bb
A foo/bb/foo.bb
A foo/src
A foo/src/foo.c
Checked out revision 4.

So tnoell can't get wip/src directly, but can get wip which contains src,
and therefore can get src.

The book (v1.4) says:
"The thing to remember is that the most specific path always matches first.
The server tries to match the path itself, and then the parent of the path,
then the parent of that, and so on. The net effect is that mentioning a
specific path in the accessfile will always override any permissions
inherited from parent directories."

But clearly, in this case, the more specific path does not rule, and tnoell
gets wip/src by getting wip which contains src.

We really need the dir structure
wip
wip/bb
wip/src
if at all possible. So, is there any way to get this to work?

Other possibly pertinent info:
I am running svn 1.4.3 for both the client and server. apache is 2.0.59.
Server OS is FreeBSD 5.4
client OS is Red Hat RHEL3

Thanks in advance for any light you can shine,
Tim Noell

-- 
// "Only dead fish go with the flow"
Received on Thu Apr 5 21:54:59 2007

This is an archived mail posted to the Subversion Users mailing list.