[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

possible bug using authz authorization

From: Anders Palm <Anders.Palm_at_prevas.dk>
Date: Thu, 21 Feb 2008 17:30:53 +0100

Hello

I'm experiencing some issues with the authz module on my apache2 svn
service.

Here's my problem:

ssl-configured apache2 server on windows server
Authentication through SSPDI.

Most users (on a windows domain) are developers/employees, and should
have total rw access to all repositories.

However, some (external) users needs read permission to certain
repositories (and some write permissions too), but definitely not for
all.

I'm also using SVNListParentPath to list my repositories for those users
that has access to all repositories.

My authzSVNAccessFile looks something like this:

[groups]
externals = <list of users>

[/]
* = rw

[repos1:/]
@externals =

[repos2:/]
@externals =
someUser = rw

etc...

This blacklisting approach works *almost* the way I want it. I have to
remember to add all new repositories to the list to keep people out, but
I can live with that.

But I have a problem with my lists. Because the lists are not part of
the repository (apparently, but shouldn't it be?). As such, they are
readable to any authenticated user. This is a problem, as it could leak
information not supposed to be available to the external users.

I would prefer to do it the other way around (whitelisting) for the
external users, something like this:

[groups]
externals = <list of users>

[/]
* = rw
@externals =

[repos1:/]

[repos2:/]
someUser = rw

etc..

And I would expect every user apart from the externals to have rw
access. But in reality, this is not how it works, apparently it matches
the *-rule, and thus lets all users in.
 To me, it would seem logical that the module reacts to the narrowest
scope. Is this a bug or feature?

I know I could just type in all my users, but that is a rather large
userbase! And I would need to update this file every time a user is
added or removed from the domain.

Help???? :)

Cheers
Anders Palm

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-02-21 17:31:15 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.