[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve apparently trying to authenticate even with svn+ssh

From: Erik Huelsmann <ehuels_at_gmail.com>
Date: 2007-10-23 09:35:30 CEST

On 10/23/07, Noah Spurrier <noah@noah.org> wrote:
> Someone (not me :-) upgraded our svn binaries to 1.4.4 today and now everyone
> is getting this error when they try to update or commit:
>
> svn: Not authorized to open root of edit operation
>
> OK, so that seems like it might be a problem authentication with svnserve,
> but the problem is that everyone in the office uses svn+ssh. As I understand
> it svn+ssh starts "svnserve -t" on the server which bypasses authentication
> (considered pre-authehenticated). I do use svnserve with authz so that some
> contractors can get access to only certain parts of the repository. On a
> hunch I edited the svnserve.conf file and I commented out every line. And
> that worked! Now, everyone can update and commit via svn+ssh. The
> svnserve.conf file looks like this now:
>
> #[general]
> #password-db = passwd
> #realm = employees and contractors only.
> #anon-access = none
> #auth-access = write
> #authz-db = authz
>
> The only problem is that this makes no sense. Everyone is using svn+ssh, so
> svnserve shouldn't even check authentication even for newer versions of SVN.

Ah, but see, it *does* make sense: this is the difference between
authentication and authorization. The user is considered
pre-authenicated (meaning svnserve doesn't need to re-establish
identity), but svnserve will apply authorization rules: which user is
allowed which operations?

What you commented out are not only authentication lines, but also
authorization lines, meaning svnserve will allow read and write
operations on all paths (instead of the limited ruleset applied when
the 'authz-db=' line is *not* commented out).

HTH,

Erik.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Oct 23 09:55:55 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.