[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Fwd: AuthZ file rules not being respected

From: Carlos Vieira <carlos_at_boreste.us>
Date: Tue, 26 Aug 2008 08:08:36 -0300

Sorry David, sent this mail only to you before without noticing.


Thanks for the reply, but I just tried file:// access to sort out a
problem with my Apache config. Normally only apache (and backup
operators) have filesystem access to my repository.

The problem I am getting is:

user1 can access http://server/svn/whatever (good)
council1 can access http://server/svn/council (good)
user1 can access http://server/svn/council (BAD)

user1 shouldn't be able to access council-only area, but they are.
They can checkout, they can see the contents in the browser, etc. I
haven't tried commits, but I don't want any access, neither read nor

* =
@users = rw

* =
# I thought the following line disabled @users to access /council
#althogether, but it isn't working
@users =
@council = rw

- Vieira

On Tue, Aug 26, 2008 at 1:47 AM, David Weintraub <qazwart_at_gmail.com> wrote:
> On Mon, Aug 25, 2008 at 6:16 PM, Carlos Vieira <carlos_at_boreste.us> wrote:
> > Hello all
> >
> > I have a single-repository multiple-project setup. In it, a subpath on
> > my SVN repos should be readable/writeable only by a few users (on
> > group council), while the rest of the repository catches a wider
> > audience (group users). However, users from the group users can read
> > council-only files through both file:// and http:// URIs.
> You should only use file:/// access on a personal repository where
> you're the only one accessing the repository, and you don't feel like
> running a server. Heck, I'm the administrator and have root access on
> my Subversion server, and I never access the repository via file:///.
> When a user has file:/// access, it means they can directly mess up
> the repository itself, either on purpose, or accidently (like checking
> out a Subversion working directory in the middle of the repository.
> Since you're using http://, the repository does not have to be
> readable or writable to the group "users". That would prevent the
> users from accessing the repository via the file:/// protocol. Set the
> permission of the files in the /my/svn directory tree to 600 or 644,
> and make the ownership and group of the files to be the Apache user
> running the httpd daemon. Set the umask for the Apache user to make
> sure that files created don't have group or other "write" permission.
> That way no one has file:/// access to your repository.
> If you really, really need to have your Council group have file:///
> access, you could create a group called "council" and make all council
> users part of that group. Then make this the group that your Apache
> server uses. Set the umask of the server to 002, and make all files in
> the /my/svn directory tree 664. (Files only! Directories must be 775!)
> However, I don't even use the file:/// protocol when I am accessing my
> own private Subversion repository on my server. I still fire up a
> svnserve process and use svn://.
> --
> David Weintraub
> qazwart_at_gmail.com

Carlos Vieira
.:: Boreste ::. Sistemas Embarcados -- Do Conceito à Inovação
Carlos Vieira
.:: Boreste ::. Sistemas Embarcados -- Do Conceito à Inovação
Received on 2008-08-26 13:09:05 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.