[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

bug w/ apache and ACLs?

From: Markus Werle <numerical.simulation_at_web.de>
Date: Fri, 14 Aug 2009 17:10:33 +0200

Hi!

I would like to report a bug (IMHO it is one) for mod_dav_svn in conjunction with
apache-2.2.11. Could you please confirm this behaviour?

Consider the following folder structure inside the repository in folder REPO:
    
/ROOT
  |-- Some
        |-- Folder
              |-- Stuff
              | |-- SomeTextFile.txt
              |
              |-- Secrets
                    |-- SecretData.txt

My basic apache configuration is as follows:

--snip--
RedirectMatch ^(/svn)$ $1/

<Location /svn>
    DAV svn
    SVNParentPath D:\Somewhere
    SVNListParentPath on
    RedirectMatch 404 ^/(MSOffice/|_vti_bin/|_vti_inf.html$)
    BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
    BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
    BrowserMatch "^WebDrive" redirect-carefully
    BrowserMatch "^WebDAVFS" redirect-carefully
    SVNAutoversioning On
    SVNReposName "Subversion Repository"
    AuthType Basic
    AuthName "Subversion Repository"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN "CN=adminaccount,OU=ServiceAccounts(non-elevated),OU=Operators,DC=EXAMPLE,DC=COM"
    AuthLDAPBindPassword Password
    AuthLDAPURL "ldap://ldapserver:3268/?sAMAccountName?sub" NONE
    Order deny,allow
    Deny from all
</Location>
--snip--
                    
The goal of my Apache ACL configuration is to let user Marcel
have access to the stuff in directory "Stuff", and let other users
have access to all the data.
So I have the following ACL configuration:

--snip--
# This here I hope to be fine, please comment
<Location ~ ^/svn/.+/!svn>
    Satisfy Any
    Require valid-user
</Location>
 
# Next line is the trouble line
<Location ~ (?i)^/svn/REPO/ROOT>
    Satisfy Any
    Require ldap-group CN=SOMEGROUP,OU=Distribution Groups,OU=User Accounts,DC=EXAMPLE,DC=COM
    Require ldap-attribute distinguishedName="CN=Doe\, John,OU=User Accounts,DC=EXAMPLE,DC=COM"
</Location>
 
<Location ~ (?i)^/svn/REPO/ROOT/Some/Folder/Stuff>
    Satisfy Any
    Require ldap-attribute distinguishedName="CN=Marcel,OU=User Accounts,DC=EXAMPLE,DC=COM"
</Location>
--snip--

Everything works as expected:
Marcel can use tortoisesvn, enter the url
http://server/svn/REPO/ROOT/Some/Folder/Stuff
and check out/check in data as planned.
Any other acces to the repo is rejected. Fine.

Now I change the configuration in one minor aspect:
"<Location ~ (?i)^/svn/REPO/ROOT>" is replaced by
"<Location ~ (?i)^/svn/REPO>"
and now Marcel no longer has access to
http://server/svn/REPO/ROOT/Some/Folder/Stuff
Note that this rule does not mention Marcel at all.

This led to some headache at my place.
To make things worse the "working" solution does not seem to scale.
Our production environment could not be "healed" by adding
dummy access rules to second level directories.
There is some weird interaction between multiple <Location> rules,
but I cannot figure out what exactly happens and when.

Could you please check whether you can reproduce this behaviour?
Could you please explain what is going on?

best regards,

Markus
________________________________________________________________
Neu: WEB.DE Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://produkte.web.de/go/02/

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2383644

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-08-14 17:11:27 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.