[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: disable security hole in svn+ssh?

From: Cooke, Mark <mark.cooke_at_siemens.com>
Date: Fri, 29 Jul 2011 08:10:18 +0100

 

> -----Original Message-----
> From: Andy Canfield [mailto:andy.canfield_at_pimco.mobi]
> Sent: 29 July 2011 02:27
> To: Geoff Hoffman
> Cc: Nico Kadel-Garcia; users_at_subversion.apache.org
> Subject: Re: disable security hole in svn+ssh?

<snip>

> Apparently, regardless of the protocol, the Subversion
> library code always checks $SVNParentPath/$Repository/conf/*
> and obeys svnserve.conf and authz. So I need to learn to use
> that effectively.

<snip>

I am fairly certain that you are wrong about this, only svnserve looks
at the svnserve.conf and I believe that you can safely remove this file
if you do not use svnserve. In fact the first lines of the default file
are:

### This file controls the configuration of the svnserve daemon, if you
### use it to allow access to this repository. (If you only allow
### access through http: and/or file: URLs, then this file is
### irrelevant.)

Apache httpd access would not use it at all and will only apply authz if
you use the AuthzSVNAccessFile directive...

~ mark c
Received on 2011-07-29 09:11:24 CEST

This is an archived mail posted to the Subversion Users mailing list.