[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: disable security hole in svn+ssh?

From: Andy Canfield <andy.canfield_at_pimco.mobi>
Date: Sat, 30 Jul 2011 22:15:25 +0700

On 07/29/2011 02:10 PM, Cooke, Mark wrote:
>> -----Original Message-----
>> From: Andy Canfield [mailto:andy.canfield_at_pimco.mobi]
>> Sent: 29 July 2011 02:27
>> To: Geoff Hoffman
>> Cc: Nico Kadel-Garcia; users_at_subversion.apache.org
>> Subject: Re: disable security hole in svn+ssh?
> <snip>
>> Apparently, regardless of the protocol, the Subversion
>> library code always checks $SVNParentPath/$Repository/conf/*
>> and obeys svnserve.conf and authz. So I need to learn to use
>> that effectively.
> <snip>
> I am fairly certain that you are wrong about this, only svnserve looks
> at the svnserve.conf and I believe that you can safely remove this file
> if you do not use svnserve. In fact the first lines of the default file
> are:
> ### This file controls the configuration of the svnserve daemon, if you
> ### use it to allow access to this repository. (If you only allow
> ### access through http: and/or file: URLs, then this file is
> ### irrelevant.)
> Apache httpd access would not use it at all and will only apply authz if
> you use the AuthzSVNAccessFile directive...
> ~ mark c
WHOA! Things are getting re-arranged in my mind.

Now I think that svnserve has no global authz file at all, and only
relies on the individual authz file in the conf subdirectory in each
repository, whereas mod_dav_svn relies on a global authz file identified
by the AuthzSVNAccessFile in dav_svn.conf. Does mod_dav_svn check the
individual authz file in the directory, also? Or does it rely solely on
the global authz file? Is this true?

My current create.php script replaces
$SVNParentPath/REPOSITORY/conf/authz with a symbolic link to
$SVNParentPath/conf/authz (which is where my AuthzSVNAccessFile points).
This gives the same authorizations across the entire repository collection.
Received on 2011-07-30 17:16:05 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.