[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svnserve authz related problem

From: ycdtosa <ycdtosa_at_gmail.com>
Date: Fri, 16 Jan 2009 12:14:37 +0100

Hi. After reading / googling and scratching my head for some time now,
i could find very little about a small problem i am having with svnserve
and the authz file, that seems to me like a bug on the subversion book
or on svnserve.

So, here it is ( a simplified version ):

I wanted to allow read-only access to my repo to an authenticated user,
and read-write access to anyone else, so i got the following files:

* svnserve.conf:

[general]
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
realm = My First Repository

* passwd:

[users]
harry = harryssecret
sally = sallyssecret

* authz:

### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to:
### - a single user,
### - a group of users defined in a special [groups] section,
### - an alias defined in a special [aliases] section,
### - all authenticated users, using the '$authenticated' token,
### - only anonymous users, using the '$anonymous' token,
### - anyone, using the '*' wildcard.
###
### A match can be inverted by prefixing the rule with '~'. Rules can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').

[aliases]

[groups]

[/]
harry = r
$authenticated = rw

And that is it.

The problem is that with this configuration "harry" gets "rw"
permisions, even if to my understanding it shouldn't
since on chp6 of the book it reads...

   "Another important fact is that the first matching rule is the one
which gets applied to a user.
    In the prior example, even though Jane is a member of the
paint-developers group (which has read/write access),
    the jane = r rule will be discovered and matched before the group
rule, thus denying Jane write access."

where the "prior example" was this:

   [paint:/projects/paint]
   jane = r
   @paint-developers = rw

Also, googling for a solution i've found this post
    [http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html]

were C. Michael (Mike) Pilato wrote:
   "But what about your authenticated would-be writers? Ah, therein
lies the rub!
  *There are no authenticated users. * Since anonymous users can
checkout the tree,
   Apache never bothers to query you for authentication credentials.
   And you can't force Subversion to transmit authentication
credentials when Apache hasn't asked for them."

Which *is not the case* since anonymous access already disabled, thus
the svnserver ( not apache here, but i think that is unrelated here )
*does* always require authentification.

Anyhow, i feel this is a issue either on the book or on subversion,
and should be reported.
this might be a follow up of this thread:
    [http://osdir.com/ml/version-control.subversion.book/2008-06/msg00101.html]

but i could not find any follow up on subversion-dev@..

any thoughts on this? should i report to subversion-dev.

Thanks.

BTW: i got a solution to the problem i was facing with the following authz file.

    [/]
    harry = r
    ~harry = rw

    but still the issue about rule precedence is there.

--
ycdtosa
Received on 2009-01-16 18:04:59 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.