[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Possible auth bug in SVN?

From: Davyd McColl <davydm_at_gmail.com>
Date: Thu, 21 Aug 2008 09:54:10 +0200

Thanks for your reply

My SVN server is most definitely configured to require auth on write, with
anonymous read allowed. All revisions committed around that time are
committed with my author name. Going back to the original post: if my
credentials were cached for the first time (the original add, commit,
delete, commit cycle), then I shouldn't have been prompted for login
credentials on subsequent commits, surely? If the creds were just cached and
I was still asked for credentials, then the bug is minor -- it's probably a
not-oft-seen annoyance to have to sometimes re-enter your credentials, even
after you've had a successful login in the recent past. If the creds weren't
cached, it points to a more problematic flaw: that I was potentially able to
modify the repo without auth (and, to re-iterate, auth is required on my
repo to be able to write to it).

The twist in the tale is that I was allowed to perform the add, commit,
delete, commit cycle without auth (which should have required it), and the
update was when I was asked for creds (and anonymous read access is
allowed). My svnserve.conf is madly simple; here it is without all the
comment lines:

anon-access = read
auth-access = write
authz-db = authz
password-db = passwd

my authz is also blatantly simple:
davydm = rw
* = r

Perhaps it is a case of PEBKAC -- if so, please point out to me where I have
gone wrong in the above config, which, to my simple knowledge of the SVN
system, seems to make sense.

Received on 2008-08-23 01:05:47 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.