[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: server config

From: olli hauer <ohauer_at_gmx.de>
Date: Tue, 20 Aug 2013 07:19:40 +0200

On 2013-08-20 01:41, Nico Kadel-Garcia wrote:
> I think he meant "subversion-1.6.11", which is the default version for
> CentOS 6.4.

Check the SELinux settings in /etc/sysconfig/selinux.
Set the line to 'SELINUX=permissive' (or disabled)

After changing the SELINUX value a reboot is required

Additional add a trailing '/' so you config looks so.

RewriteEngine on

# the trailing '/' in /svn/ is needed to browse repos with standart browser!
RedirectMatch ^(/svn)$ $1/

<Location /svn/>
  DAV svn
  SVNParentPath /var/svn/

  # Authentication: Digest
  AuthName "Subversion repository"
  AuthType Digest
  AuthUserFile /etc/svn-auth.htdigest

  # Authorization: Authenticated users only
  Require valid-user
</Location>

>
> On Mon, Aug 19, 2013 at 6:19 PM, Ben Reser <ben_at_reser.org> wrote:
>
>> On 8/19/13 9:07 AM, Scott Frankel wrote:
>>> I'm new to SVN server configuration and find myself setting up a CentOS
>> 6.4 server with svn version 1.6.1, following the red-bean book.
>>
>> I'd strongly urge you not to use 1.6.1, see the list of applicable
>> security issues here:
>> http://subversion.apache.org/security/
>>
>> If you're using the CentOS packages they may have patched those issues
>> without updating the svn version number. You should check that though.
>>
>> If you're setting a new server I wouldn't start with 1.6.x but would go
>> straight to 1.7.x or 1.8.x, probably 1.8.x if you can.
>>
>>> I'm having difficulty with authorization &/or authentication: my repo
>> appears to be accessible by anyone in spite of requiring "valid-user" and
>> specifying digest authentication. I believe this because 1) I can download
>> a full working copy of the repo to a 3rd-party logged into a foreign
>> computer, and 2) I have dozens of entries in apache's logfiles, like these
>> from this morning, *prior* to any known/legitimate access to my repos today:
>>>
>>> svn_logfile:
>>> [19/Aug/2013:00:46:32 +0000] - checkout-or-export / r1 depth=infinity
>>
>> That does indeed look like access without a user.
>>
>>> access_log
>>> 93.174.93.213 - - [19/Aug/2013:07:23:50 +0000] "GET
>> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu"
>>>
>>> error_log
>>> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not
>> exist: /var/www/html/MyAdmin
>>
>> These however do not appear to be alarming at all. Neither of them are
>> under the /svn Location on your server where you have put the Require
>> valid-user requirement. They appear to me to be just normal probes run
>> by someone looking for security holes. This sort of thing is just going
>> to be a normal part of running a server on the Internet.
>>
>>> <Location /svn>
>>> DAV svn
>>> SVNParentPath /var/svn
>>>
>>> # Authentication: Digest
>>> AuthName "Subversion repository"
>>> AuthType Digest
>>> AuthUserFile /etc/svn-auth.htdigest
>>>
>>> # Authorization: Authenticated users only
>>> Require valid-user
>>> </Location>
>>
>> I'm not seeing anything wrong with this, so I'm not sure why you're
>> having a problem. You didn't mention it but I'm wondering what version
>> of httpd you're running, I'm assuming 2.2.x since you're using 1.6.1 on
>> CentOS 6.4.
>>
>>
>
Received on 2013-08-20 07:20:25 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.