[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Question about path-based authorization

From: Sascha Juch <Sascha.Juch_at_sepago.de>
Date: 2007-08-28 16:08:47 CEST

Hello,

I have a question concerning path-based authorization with subversion.

I'm running subversion on:
* W2k3 + SP2
* Apache 2.0.54
* OpenSSL 0.9.8
* SVN 1.4.0
* PHP 5.0.5
* mod_auth_sspi 1.0.3

Anything is working fine, except the following which should be possible
according to the manual.

What I want to configure is one of the following two scenarios:
For a specific repository "test" I want to disallow anyone except a
specific user/group to access the repository. However I want a few users
to have access to a subdirectory of test called "docs".
For a specific repository "test2" I want to allow a specific user/group
to have full read access except to a specific sub directory where
another specific user/group only shall have access.

My httpd.conf contains the following location directive:

<Location /svn>
        DAV svn
        SVNParentPath "d:/src/svn"
        SSLRequireSSL
        AuthName "SVN Server"
        AuthType SSPI
        SSPIAuth On
        SSPIAuthoritative On # Authentification is necessary
        SSPIUsernameCase "lower"
        SSPIDomain MYDOMAIN
        SSPIOfferBasic on # to let non IE-Clients connect
        SSPIOmitDomain off # keep domain name in userid string
        Require valid-user # A Require directive may prevent userid
from being passed down
        AuthzSVNAccessFile "D:/config/svnaccess.conf"
</Location>

My AuthzSVNAccessFile looks like the following:

[groups]
Admins = mydomain\admin1, mydomain\admin2
Management = mydomain\management1, mydomain\management2
Employees = mydomain\sascha, mydomain\foo
TestCrew = mydomain\hurz, mydomain\blub

[/]
* =
@Admins = rw
@Management = r

[test:/]
* =
@TestCrew = rw

[test:/docs/]
mydomain\sascha = r

[test2:/]
@Employees = r

[test2:/secret/]
mydomain\sascha =

What I would expect now is the following:
* noone has access to any repository by default
* Admins have full access to all repositories by default
* Management has full read access to all repos by default

Repository test:
* Only the group TestCrew has (full) access to it - anyone else is not
allowed to peek into the root dir of this repository.
* sascha however shall be able to have a look on the documentation
(/docs/) So under the directory /docs in the repository test hurz and
blub should have full access and sascha should be able to read

Repository test2:
* All employees (sascha and foo) shall be allowed to read the content of
the root directory
* However I don't want sascha to peek into the secret sub directory so
only foo should be allowed to access it (reading).

As stated in the manual for Path-based config
(http://svnbook.red-bean.com/en/1.4/svn.serverconfig.pathbasedauthz.html
) both of the above should function:

"The thing to remember is that the most specific path always matches
first. The server tries to match the path itself, and then the parent of
the path, then the parent of that, and so on. The net effect is that
mentioning a specific path in the accessfile will always override any
permissions inherited from parent directories.
By default, nobody has any access to the repository at all."

However this is what happens when user sascha tries to access the
repositories:

Repository test:
/test -> "You don't have permission to access /svn/test on this server."
(EXPECTED)
/test/docs -> "You don't have permission to access /svn/test on this
server." (NOT EXPECTED -> I expected to be granted access)

Repository test2:
/test2 -> Access is granted (EXPECTED)
/test2/secret -> Access is granted (NOT EXPECTED -> I expected to get
the forbidden message for this directory

So anything concerning different access rights on nested folders would
not be possible when setting up repositories.

Maybe there's an error in my reasoning but I think the access control
doesn't behave like it's be expected.

So is this a bug or what I am doing wrong?

Thanks a lot in advance,
Sascha Juch

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Aug 28 16:06:34 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.