[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authz woes

From: Shaun Johnson <shaun.johnson_at_gmail.com>
Date: 2007-08-14 15:58:07 CEST

Christoph,

I noticed some similarly odd behavior when I first starting using SVN
and found that the root cause of the problem was that I used the wrong
syntax in the authz file. In the example you gave you added a trailing
slash to all the paths. This is incorrect. You must leave off the last
slash or SVN will not properly apply the permissions. It will not
complain about the incorrect syntax either.

Instead of:

   [/dir2/]
   Alice =

Use:

   [/dir2]
   Alice =

I believe the only exception to the "no trailing slash" rule is [/].

You can also use a tool like Suafe (http://code.google.com/p/suafe/)
to create/edit your authz file (shameless plug). It may be a bit
overkill for such a small authz file, but it will generate valid authz
file syntax.

Shaun

On 8/14/07, Christoph Ludwig <ludwig@fh-worms.de> wrote:
> Hi,
>
> I use subversion 1.4.4 (with Apache httpd 2.2.4) on a Linux machine. (I pasted
> the relevant excerpt from my vhost configuration at the end of this mail.)
> I have a repository named "test" and an authz file with the following content:
>
> [/]
> * =
> Alice = rw
> Bob = r
> Oskar =
>
> [/dir1/dir1_1/]
> Bob = rw
>
> [/dir1/dir1_2/]
> Oskar = r
>
> [/dir2/]
> Alice =
>
> The description in
> <URL:http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html>
> made me expect that Alice can checkout every folder except /dir2. However:
>
> cludwig_at_testserver:~$ /opt/subversion-1.4.4/bin/svn co --username Alice --no-auth-cache https://testserver.fh-worms.de:8443/svn/test/TRUNK/ trunk_alice
> Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
> Password for 'Alice':
> A trunk_alice/dir1
> A trunk_alice/dir1/dir1_1
> A trunk_alice/dir1/dir1_1/file_a
> A trunk_alice/dir1/dir1_2
> A trunk_alice/dir1/dir1_2/file_b
> A trunk_alice/dir2
> A trunk_alice/dir2/file_c
> Checked out revision 1.
>
> Alice can checkout /dir2 without problems. (She can even commit modifications
> in /dir2.
>
> Now to Bob. Bob can read / checkout everything as expected. But
> any attempt to checkin a changed file results in a "403 Forbidden"
> error, even in /dir1/dir1_1:
>
> cludwig@testserver:~/trunk_bob/dir1/dir1_1$ echo test_bob > file_a
> cludwig@testserver:~/trunk_bob/dir1/dir1_1$ /opt/subversion-1.4.4/bin/svn ci -m 'Can Bob write to /dir1/dir1_1 ?' --username Bob --no-auth-cache
> Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
> Password for 'Bob':
> Sending dir1_1/file_a
> svn: Commit failed (details follow):
> svn: CHECKOUT of '/svn/test/!svn/ver/2/TRUNK/dir1/dir1_1/file_a': 403 Forbidden (https://testserver.fh-worms.de:8443)
>
> Finally, my intention was that Oskar has full access to /dir1/dir1_2/, but to
> no other folder. I know that (some) previous subversion releases required read
> access to / if one wanted any access to a subfolder, but I thought this
> restriction was lifted in 1.4. However, Oskar cannot even checkout
> /dir1/dir1_2/:
>
> cludwig_at_testserver:~$ /opt/subversion-1.4.4/bin/svn co --username Oskar --no-auth-cache https://testserver.fh-worms.de:8443/svn/test/TRUNK/dir1/dir1_2 dir1_2_oskar
> Authentication realm: <https://testserver.fh-worms.de:8443> subversion repositories
> Password for 'Oskar':
> svn: PROPFIND request failed on '/svn/test/TRUNK/dir1/dir1_2'
> svn: PROPFIND of '/svn/test/TRUNK/dir1/dir1_2': 403 Forbidden (https://testserver.fh-worms.de:8443)
>
> It seems either I completely misunderstood how path based access control is
> supposed to work or there is some bug... I'd appreciate any help.
>
> Regards
>
> Christoph
>
>
> Apache configuration excerpt:
>
> <IfModule mod_dav_svn.c>
>
> <Location /svn/>
> DAV svn
>
> # the "test" repository is in /srv/svn/test
> SVNParentPath /srv/svn/
>
> # Don't ask for client certificates
> SSLVerifyClient none
>
> # Authenticate by a simple password file.
> AuthName "subversion repositories"
> AuthType basic
> AuthUserFile /srv/svn/test/conf/httpd.passwd
>
> #################
> # Authorization #
> #################
>
> # try anonymous access first, resort to real
> # authentication if the authorization policy
> # makes it necessary.
> satisfy any
> require valid-user
>
> # authorization policy file
> AuthzSVNAccessFile /srv/svn/test/conf/authz
>
> </Location>
>
> <Directory /srv/svn>
> Options +Indexes +Multiviews -FollowSymLinks
> IndexOptions FancyIndexing \
> ScanHTMLTitles \
> NameWidth=* \
> DescriptionWidth=* \
> SuppressLastModified \
> SuppressSize
>
> order allow,deny
> allow from all
> </Directory>
>
>
> </IfModule>
>
>
> --
> FH Worms - University of Applied Sciences
> Fachbereich Informatik / Telekommunikation
> Erenburgerstr. 19, 67549 Worms, Germany
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Aug 14 15:56:18 2007

This is an archived mail posted to the Subversion Users mailing list.