MOD_DAV_SVN + SVNSERVE_WRAPPER + file system rights

Hello

I know this topic has been discussed many times but...

I am very happy with the SSH + 'svnserve' access to my repositories, however due to firewall issues I need access through HTTP as well. What I do not want is to set up a 2nd authentication / authorization database.

Here is my current config HTTP config:

[
    ...
    LoadModule authz_unixgroup_module libexec/apache22/mod_authz_unixgroup.so
    ...
    AddExternalAuth pwauth /usr/local/bin/pwauth
    SetExternalAuthMethod pwauth pipe
    ...
    <Location /subversion/>
        AuthBasicProvider external
        AuthExternal pwauth
        AuthName Subversion
        AuthType Basic
        AuthzUnixgroup on
        Dav svn
        Require file-group
        SSLRequireSSL
        SVNParentPath /usr/local/svn/
    </Location>
]

1. Any user accessing Subversion has to be authenticated against the Unix password database. Works.
2. Before we hit the Subversion module I would like to authorize the user against the file system. Does not work.

I have repositories laid out on the file system under '/usr/local/svn/' like this:

drwxrwx---  6 root  backup            512 Feb  9  2012 backup
drwxrwx---  6 root  common            512 Feb  9  2012 common
drwxrwx---  6 root  news_alert        512 Jun 14  2012 news_alert
...

Each repository's group is the collection of users who should be able to read and write it, plus the Apache's 'www' user. This works fine with 'svnserve', enforced by Unix.

How could I convince Apache to check the directory access rights before it hits MOD_DAV_SVN? There are 2 flaws at the moment:

1. 'Require file-group' checks against '/usr/local/www/apache22/data/subversion/common' and not '/usr/local/svn/common'.
2. It also checks each path components of, for example, '/subversion/ppt/!svn/ver/48/trunk' and not only '/subversion/ppt/'.

Any idea how to fix this? Any other approach to the problem?

Cheers
B.
Received on 2013-11-21 19:37:59 CET