[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: design problem (bug): cannot check out a 'private' directory in a repos

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Mon, 22 Sep 2008 17:41:30 -0400

Thanks, Mathias. I think there is a workaround for this, but I can't
remember it. However, this question comes up often enough that we
should find out and add it to the FAQ.

I'm CC'ing the dev@ list so we can find that workaround, and then write
the FAQ entry.


Mathias Kende <mathias_at_kende.fr> writes:
> This is a report of something that is not really a bug (because the
> software behave as expected), but is a design problem of the new 1.5
> keywords ($anonymous and &authenticated) for the authz file of svnserve.
> Which prevent to check out a repository with a private directory.
> The problem is that if a directory is readable by anybody but not one of
> its subdirectory then you can't check out the subdirectory.
> Step to reproduce :
> At the root of your svnserve create a new repos :
> svnadmin create test
> Uncomment one user in passwd (e.g. harry=harryssecret) and add the
> passwd file in the svnserve.conf file, wich is now :
> [general]
> anon-access = read
> auth-access = write
> password-db = passwd
> Then, import some files into it :
> svn co svn://localhost/test
> cd test
> mkdir public
> mkdir private
> touch public/foo
> touch private/bar
> svn add public private
> svn ci
> Add "authz-db = authz" in svnserve.conf and modify the authz file to
> something like :
> [aliases]
> [groups]
> [/]
> $anonymous = r
> $authenticated = rw
> [test:/private]
> $anonymous =
> And now, we try to check out some fresh copy of the repos.
> svn co svn://localhost/test
> and
> svn co --username harry --password harryssecret svn://localhost/test
> These two commands have the same result : only the "public" directory is
> checked out.
> My problem is that I know no proper way the check out the entire
> repository.
> The reason is that svnserve sees that no password is needed to read '/'
> so the password is not used (I don't know if the authentication is
> done), and the "private" directory can not be checked out.
> The solution is to c/o separately the other directory :
> cd test
> svn co svn://localhost/test/private
> Which will ask for the password if it has not been given in the previous
> step, and then, you need to modify "test/.svn/entries" and remove all
> the blank lines and the "absent" keyword under the name of the "private"
> directory for it to be recognised as part of the repos. But this is
> something that should not be done I suppose.
> The solution I see to this problem is that when svn sends a credential,
> svnserve should use it to authenticate the user even if it not needed,
> or, even better, when the checkout occurs, the server should ask for a
> password if some sub-directories need authentication (this is not a
> security issue I believe because in any case the name of the "private"
> directory is transmitted to the client as it is in the .svn/entries
> file).
> I hope that I was clear enough,
> thanks,
> Mathias
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
> For additional commands, e-mail: users-help_at_subversion.tigris.org

To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-09-22 23:42:01 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.