On 07/29/2011 02:10 PM, Cooke, Mark wrote:
>> -----Original Message-----
>> From: Andy Canfield [mailto:andy.canfield_at_pimco.mobi]
>> Sent: 29 July 2011 02:27
>> To: Geoff Hoffman
>> Cc: Nico Kadel-Garcia; users_at_subversion.apache.org
>> Subject: Re: disable security hole in svn+ssh?
>> Apparently, regardless of the protocol, the Subversion
>> library code always checks $SVNParentPath/$Repository/conf/*
>> and obeys svnserve.conf and authz. So I need to learn to use
>> that effectively.
> I am fairly certain that you are wrong about this, only svnserve looks
> at the svnserve.conf and I believe that you can safely remove this file
> if you do not use svnserve. In fact the first lines of the default file
> ### This file controls the configuration of the svnserve daemon, if you
> ### use it to allow access to this repository. (If you only allow
> ### access through http: and/or file: URLs, then this file is
> ### irrelevant.)
> Apache httpd access would not use it at all and will only apply authz if
> you use the AuthzSVNAccessFile directive...
> ~ mark c
WHOA! Things are getting re-arranged in my mind.
Now I think that svnserve has no global authz file at all, and only
relies on the individual authz file in the conf subdirectory in each
repository, whereas mod_dav_svn relies on a global authz file identified
by the AuthzSVNAccessFile in dav_svn.conf. Does mod_dav_svn check the
individual authz file in the directory, also? Or does it rely solely on
the global authz file? Is this true?
My current create.php script replaces
$SVNParentPath/REPOSITORY/conf/authz with a symbolic link to
$SVNParentPath/conf/authz (which is where my AuthzSVNAccessFile points).
This gives the same authorizations across the entire repository collection.
Received on 2011-07-30 17:16:05 CEST