[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion access control

From: Andy Canfield <andy.canfield_at_pimco.mobi>
Date: Thu, 21 Jul 2011 11:14:18 +0700

Thank you very much.

On 07/20/2011 12:19 PM, Nico Kadel-Garcia wrote:
> On Tue, Jul 19, 2011 at 11:14 PM, Andy Canfield
> <andy.canfield_at_pimco.mobi> wrote:
>> One thing has hit my mind today that I don't think you realize ...
>> I have never, in my entire life, seen a working Subversion system.
>> Apparently Subversion, as distributed, doesn't work - the access
>> authentications are deliberately turned off.
> I'm afraid it depends on your access requirements. Seriously. Which
> access technology are you using? svn+ssh (which I tend to recommend),
> or Apache (using https://), or svn directorly (svn://) Start with that
> and we'll walk you through it.

OK, here goes.

I would like to use http/https. I am not supposed to be working on the
server, but on my notebook workstation. And svn or svn+ssh require port
3690 to be forwarded by the router, and we don't own the router. So I
would prefer http and/or https.

But on the actual server https is screwed up because mod_dev_svn.so is a
year earlier than Apache, and apparently there is a version mismatch.
When svn is enabled apache is dead. I have put in a request for my
friend to re-install, but that could take a week.

So for the interim I have installed mod_dav etc. on my notebook
computer. FYI it is running Ubuntu Linux 1.04. This is for testing.

Directory /etc/apache2/modes-enabled contains the file dav.load with
this contents:
* LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so*
That same directoy also contains the file dav_syn.load with these contents:
* # Depends: dav
     LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so
     LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so*
That same directory also contains the file dav_svn.conf which I altered;
this is the altered contents:
*# dav_svn.conf - Example Subversion/Apache configuration
# For details and further options see the Apache user manual and
# the Subversion book.
# NOTE: for a setup with multiple vhosts, you will want to do this
# configuration in /etc/apache2/sites-available/*, not here.

# <Location URL> ... </Location>
# URL controls how the repository appears to the outside world.
# In this example clients access the repository as http://hostname/svn/
# Note, a literal /svn should NOT exist in your document root.
<Location /svn>

   # Uncomment this to enable the repository
   DAV svn

   # Set this to the path to your repository
   #SVNPath /var/lib/svn
   # Alternatively, use SVNParentPath if you have multiple repositories
   # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...).
   # You need either SVNPath and SVNParentPath, but not both.
   #SVNParentPath /var/lib/svn
   SVNParentPath /data/svn

   # Access control is done at 3 levels: (1) Apache authentication, via
   # any of several methods. A "Basic Auth" section is commented out
   # below. (2) Apache <Limit> and <LimitExcept>, also commented out
   # below. (3) mod_authz_svn is a svn-specific authorization module
   # which offers fine-grained read/write access control for paths
   # within a repository. (The first two layers are coarse-grained; you
   # can only enable/disable access to an entire repository.) Note that
   # mod_authz_svn is noticeably slower than the other two layers, so if
   # you don't need the fine-grained control, don't configure it.

   # Basic Authentication is repository-wide. It is not secure unless
   # you are using https. See the 'htpasswd' command to create and
   # manage the password file - and the documentation for the
   # 'auth_basic' and 'authn_file' modules, which you will need for this
   # (enable them with 'a2enmod').
   #AuthType Basic
   #AuthName "Subversion Repository"
   #AuthUserFile /etc/apache2/dav_svn.passwd
   AuthType Basic
   AuthName "Lenny Subversion Repository"
   AuthUserFile /etc/apache2/dav_svn.passwd

   # To enable authorization via mod_authz_svn
   #AuthzSVNAccessFile /etc/apache2/dav_svn.authz

   # The following three lines allow anonymous read, but make
   # committers authenticate themselves. It requires the 'authz_user'
   # module (enable it with 'a2enmod').
     #Require valid-user
* Require valid-user*
By the way, all three of the above files in /etc/apache2/mods-enabled
are actually symbolic links to the same file name in ../mods-available.

I used sudo htpasswd to create the /etc/apache2/dav_svn.passwd file:
* andy:4izmp7W8TSqww*

Also I created my subversion directory like this:\
* sudo bash
     mkdir /data/svn
     chmod a+w /data/svn*
*ls /data/svn
** drwxrwxrwx 2 root root 4096 2011-07-21 10:53 /data/svn*

Now I point my browser to http://localhost/svn and I get a prompt for a
user name and password. If I type in my valid user name "andy" and a
completely spurious password, I get prompted again. But if I type in my
valid user name and password (as given when I created the dav_svn.passwd
file), the result is:
* Forbidden
     You don't have permission to access /svn on this server.
     Apache/2.2.17 (Ubuntu) Server at localhost Port 80*

Of course the /data/svn file is completely empty; there's nothing in it.
OK, so I try to put something in it:
* svnadmin create /data/svn/sample
Now when I point my browser at http://localhost/svn I get the same
"Forbidden" message as before. However, when I point my browser to
"http://localhost/svn/sample" I see a very simple web page:
* sample - Revision 0: /
     Powered by Subversion version 1.6.12 (r955767).*
Well, that's something. Doesn't give me any list of repositories, but
it's something.

Isn't http://localhost/svn supposed to show me something useful?

Progress. Thank you very much.

> And please read the walkthroughs at http://svnbook.red-bean.com/,
> which are pretty good, so we can help based on *which* approach you
> want to use.
Received on 2011-07-21 06:15:36 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.