[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Subversion access control

From: Geoff Hoffman <ghoffman_at_cardinalpath.com>
Date: Thu, 21 Jul 2011 08:16:03 -0700

>
>
>
> On Wed, Jul 20, 2011 at 9:14 PM, Andy Canfield <andy.canfield_at_pimco.mobi>wrote:
>
>> **
>> Thank you very much.
>>
>>
>> On 07/20/2011 12:19 PM, Nico Kadel-Garcia wrote:
>>
>> On Tue, Jul 19, 2011 at 11:14 PM, Andy Canfield<andy.canfield_at_pimco.mobi> <andy.canfield_at_pimco.mobi> wrote:
>>
>> One thing has hit my mind today that I don't think you realize ...
>>
>> I have never, in my entire life, seen a working Subversion system.
>>
>> Apparently Subversion, as distributed, doesn't work - the access
>> authentications are deliberately turned off.
>>
>> I'm afraid it depends on your access requirements. Seriously. Which
>> access technology are you using? svn+ssh (which I tend to recommend),
>> or Apache (using https://), or svn directorly (svn://) Start with that
>> and we'll walk you through it.
>>
>>
>> OK, here goes.
>>
>> I would like to use http/https. I am not supposed to be working on the
>> server, but on my notebook workstation. And svn or svn+ssh require port 3690
>> to be forwarded by the router, and we don't own the router. So I would
>> prefer http and/or https.
>>
>> But on the actual server https is screwed up because mod_dev_svn.so is a
>> year earlier than Apache, and apparently there is a version mismatch. When
>> svn is enabled apache is dead. I have put in a request for my friend to
>> re-install, but that could take a week.
>>
>> So for the interim I have installed mod_dav etc. on my notebook computer.
>> FYI it is running Ubuntu Linux 1.04. This is for testing.
>>
>> Directory /etc/apache2/modes-enabled contains the file dav.load with this
>> contents:
>> * LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so*
>> That same directoy also contains the file dav_syn.load with these
>> contents:
>> * # Depends: dav
>> LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so
>> LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so
>> *
>> That same directory also contains the file dav_svn.conf which I altered;
>> this is the altered contents:
>> *# dav_svn.conf - Example Subversion/Apache configuration
>> #
>> # For details and further options see the Apache user manual and
>> # the Subversion book.
>> #
>> # NOTE: for a setup with multiple vhosts, you will want to do this
>> # configuration in /etc/apache2/sites-available/*, not here.
>>
>> # <Location URL> ... </Location>
>> # URL controls how the repository appears to the outside world.
>> # In this example clients access the repository as http://hostname/svn/
>> # Note, a literal /svn should NOT exist in your document root.
>>
>> <Location /svn>
>>
>> # Uncomment this to enable the repository
>> DAV svn
>>
>> # Set this to the path to your repository
>> #SVNPath /var/lib/svn
>>
>> # Alternatively, use SVNParentPath if you have multiple repositories
>> under
>> # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2,
>> ...).
>> # You need either SVNPath and SVNParentPath, but not both.
>> #SVNParentPath /var/lib/svn
>> SVNParentPath /data/svn
>>
>>
>> # Access control is done at 3 levels: (1) Apache authentication, via
>> # any of several methods. A "Basic Auth" section is commented out
>> # below. (2) Apache <Limit> and <LimitExcept>, also commented out
>> # below. (3) mod_authz_svn is a svn-specific authorization module
>> # which offers fine-grained read/write access control for paths
>> # within a repository. (The first two layers are coarse-grained; you
>> # can only enable/disable access to an entire repository.) Note that
>> # mod_authz_svn is noticeably slower than the other two layers, so if
>> # you don't need the fine-grained control, don't configure it.
>>
>> # Basic Authentication is repository-wide. It is not secure unless
>> # you are using https. See the 'htpasswd' command to create and
>> # manage the password file - and the documentation for the
>> # 'auth_basic' and 'authn_file' modules, which you will need for this
>> # (enable them with 'a2enmod').
>> #AuthType Basic
>> #AuthName "Subversion Repository"
>> #AuthUserFile /etc/apache2/dav_svn.passwd
>> AuthType Basic
>> AuthName "Lenny Subversion Repository"
>>
>> AuthUserFile /etc/apache2/dav_svn.passwd
>>
>> # To enable authorization via mod_authz_svn
>> #AuthzSVNAccessFile /etc/apache2/dav_svn.authz
>>
>> # The following three lines allow anonymous read, but make
>> # committers authenticate themselves. It requires the 'authz_user'
>> # module (enable it with 'a2enmod').
>> #<LimitExcept GET PROPFIND OPTIONS REPORT>
>> #Require valid-user
>> #</LimitExcept>
>> *
>> * Require valid-user*
>> *
>> </Location>
>> *
>> By the way, all three of the above files in /etc/apache2/mods-enabled are
>> actually symbolic links to the same file name in ../mods-available.
>>
>> I used sudo htpasswd to create the /etc/apache2/dav_svn.passwd file:
>> * andy:4izmp7W8TSqww*
>>
>> Also I created my subversion directory like this:\
>> * sudo bash
>> mkdir /data/svn
>> chmod a+w /data/svn*
>> *ls /data/svn
>> ** drwxrwxrwx 2 root root 4096 2011-07-21 10:53 /data/svn*
>>
>> Now I point my browser to http://localhost/svn and I get a prompt for a
>> user name and password. If I type in my valid user name "andy" and a
>> completely spurious password, I get prompted again. But if I type in my
>> valid user name and password (as given when I created the dav_svn.passwd
>> file), the result is:
>> * Forbidden
>> You don't have permission to access /svn on this server.
>> Apache/2.2.17 (Ubuntu) Server at localhost Port 80*
>>
>> Of course the /data/svn file is completely empty; there's nothing in it.
>> OK, so I try to put something in it:
>> * svnadmin create /data/svn/sample
>> *
>> Now when I point my browser at http://localhost/svn I get the same
>> "Forbidden" message as before. However, when I point my browser to
>> "http://localhost/svn/sample" <http://localhost/svn/sample> I see a very
>> simple web page:
>> * sample - Revision 0: /
>> Powered by Subversion version 1.6.12 (r955767).*
>> Well, that's something. Doesn't give me any list of repositories, but it's
>> something.
>>
>> Isn't http://localhost/svn supposed to show me something useful?
>>
>>
> One would think so, yes. I get the same thing, Andy.
>
> Going to http://[mysvnserver]/svn I can login at the .htaccess prompt, and
> get forbidden. I have SVNListParentPath on also inside the <Location /svn>
> directive. I tried to
> sudo chown -R www-data:www-data /data/svn
> but it had no effect on the list. The error it is throwing is
>
> [Thu Jul 21 08:09:38 2011] [error] [client my-ip-add-ress] The URI does not
> contain the name of a repository. [403, #190001]
>
>

For what it's worth, this was why I added websvn info with how to point
websvn config to your authz file. That is, it matters less that /svn doesn't
work when /websvn/ does and provides a lot more useful web interface
(including log browsing, basic diff view, subscribing to RSS of commit logs
and more). Clearly this isn't a fix though.
Received on 2011-07-21 17:16:43 CEST

This is an archived mail posted to the Subversion Users mailing list.