On Thu, Apr 19, 2012 at 03:00:43PM +0200, Andrea Simonini wrote:
> Hello svn users,
>
> I run into the following problem(?) when trying to get revision
> properties on a repository with mod_dav_authz enabled.
> Specifically I've installed CollabNetSubversion-server-1.6.12-1
> ( apache 2.2 + DAV ) on Linux REL 5.5.
> I've configured path based authorization with mod_svn_authz.
>
> Now if I issue from svn client a propget command to get a revision
> property (e.g. svn:log) on a URL the user has access to the behavior is
> different when the creation history of the path is different.
>
> Here follows the steps to reproduce the behavior:
>
> 1)Create a fresh repository:
> $svnadmin create propget
> $ vi propget/hooks/
> $ mv propget/hooks/pre-revprop-change.tmpl propget/hooks/pre-revprop-change
> $ chmod +x propget/hooks/pre-revprop-change
>
> 2) Add "ACL" in the svn-authz.conf file:
> [groups]
> propget=username
>
> [propget:/level1/level2]
> @propget = rw
>
> 3) Add a two folder tree in the repository structure (level1/level2):
>
> $ svn co http://server/svn/propget
> Authentication realm: <http://server:80> Subversion Repository
> Password for 'ADMIN':
> Checked out revision 0.
> $ cd propget/
> $ mkdir level1
> $ mkdir level1/level2
> $ svn add level1
> A level1
> A level1/level2
> $ svn ci -m"message 000"
> Authentication realm: <http://server:80> Subversion Repository
> Password for 'ADMIN':
> Adding level1
> Adding level1/level2
>
> Committed revision 1.
>
> 4) get revision properties with the specific user:
>
> C:\tmp\test>svn pg svn:log --revprop -r HEAD
> http://server/svn/propget/level1/level2
> --username username
>
> Authentication realm: <http://server:80> Subversion Repository
> Password for 'username': ********
>
> >>>>empty reply
I think this is working as designed.
The user has no access at all to 'level1' as per your authz rule set.
The fact that the revision modifies 'level1' as well as 'level1/level2'
means that the user is not supposed to see the log message the revision.
No messages of revisions that change 'level1' are allowed to be shown.
Of course, this is somewhat related to an insufficiency in the current
authz design, namely the lack of distinction between "read" and
"directory traversal" ACL properties.
See http://subversion.tigris.org/issues/show_bug.cgi?id=3380
Received on 2012-04-25 15:07:18 CEST