[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: How to prevent casual browsing

From: olli hauer <ohauer_at_gmx.de>
Date: Sun, 01 Dec 2013 17:51:45 +0100

On 2013-12-01 15:39, Peter Flynn wrote:
> I have a number of svn repositories running under Apache+subversion on
> CentOS6/64, with Submin to provide a web GUI to manage them:
>
> server.name/svn/foo
> server.name/svn/bar
> server.name/svn/blort
> etc
>
> All of them are private; all but one of them are single-user (me) so
> that I can carry on working from any of my machines in multiple
> locations. One of them is shared with colleagues on a project: they all
> have read/write privs on that repo.
>
> The URIs are not published or linked, and my colleagues are all well
> aware of the need to keep their shared URI private. But the requirement
> is that none of them must be open to casual read access via a web
> browser, in case someone happen to stumble upon or guess the URI.
>
> I am having problems getting the access privs right, as they keep
> causing "svn: E220000: Not authorized to open root of edit operation"
> during an svn up. However, in a long exchange with the very helpful
> submin support
> (https://ssl.supermind.nl/collab/projects/submin/ticket/336) we have
> failed to identify settings that work.
>
> Currently the svn/conf/authz file says
>
>> [groups]
>> dev = a,b,c,d,e,me
>>
>> [foo:/]
>> @dev = rw
>>
>> [bar:/]
>> me = rw
>>
>> [blort:/]
>> me = rw
>
> The Apache conf.d/subversion.conf says:
>
>> <Location /svn>
>> DAV svn
>> SVNParentPath /var/lib/submin/svn
>> # removed GET from LimitExcept to prevent casual browsing
>> <LimitExcept PROPFIND OPTIONS REPORT>
>> AuthType Basic
>> AuthName "Authorization Realm"
>> AuthUserFile /etc/svn.auth
>> Require valid-user
>> </LimitExcept>
>> </Location>
>
> and svn.auth specifies a username:encryptedpassword pair for each member
> of [groups] in the usual way.
>
> 1. Browsing with a web browser causes a prompt for the username/password
> as expected.
>
> 2. An svn ci operation works fine.
>
> 3. An svn up operation fails, and always causes an E220000 error.
>
> 4. Replacing the GET in the LimitExcept config allows svn up to work
> without error, but allows casual browsing of the web interface.
>
> Is there a way to prevent the casual browsing while avoiding the E220000
> error?
>

You do not have AuthzSVNAccessFile $path/to/authz in your Location config. 

-- 
olli
Received on 2013-12-01 17:52:19 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.