[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Problem with authorized user and SVN access

From: Stefan Sperling <stsp_at_elego.de>
Date: Mon, 22 Jan 2018 13:09:45 +0100

On Mon, Jan 22, 2018 at 11:39:26AM +0000, Stefan Hauffe wrote:
> Hello,
>
> I refined my mail from 05/01/2017 and now I think there is a bug in the mod_authz_svn Module. This may allow users to see content for which they aren't allowed for.
>
> For the general setup, I have an Apache 2.4, Subversion 1.9 modules and mod_lua activated for authentification. The LUA-hook works for none-SVN-Locations, my user is authorized. The httpd.conf and LUA script is attached below.
>
> Case 1:
> - The accessfile configures my user to have access on repo-root:
> [repo:/]
> myuser = rw
> - The client (curl) shows me the repo-root but none of the files below.
> - The error_log shows, that my user got authorized on root:
> [Fri Jan 19 21:20:58.735108 2018] [authz_svn:info] [pid 3465:tid 140589093869312] [client ::1:59812] Access granted: 'myuser' GET (null)
> - But I'm not allowed to see a file below:
> [Fri Jan 19 21:20:58.735706 2018] [authz_svn:info] [pid 3465:tid 140589093869312] [client ::1:59812] Access denied: - GET repo:/muhmiau.txt
>
> Case 2:
> - The accessfile configures everybody to have access on repo-root:
> [repo:/]
> * = rw
> - The client (curl) shows me a repo-root and the files below.
> - The error-log tells, that my user is allowed to see the root and the file:
> [Fri Jan 19 21:26:03.803831 2018] [authz_svn:info] [pid 3425:tid 140589085476608] [client ::1:59814] Access granted: 'myuser' GET (null)
> [Fri Jan 19 21:26:03.806508 2018] [authz_svn:info] [pid 3425:tid 140589085476608] [client ::1:59814] Access granted: 'myuser' GET repo:/muhmiau.txt
>
> Case 3:
> - Now I have an accessfile, which allows everyone to rw, *but not my user*:
> [repo:/]
> * = rw
> myuser =
> - The client (curl) shows me the full repo content
> - The error_log tells, that my user is allowed to see the root and the file:
> [Fri Jan 19 21:29:57.383442 2018] [authz_svn:info] [pid 3426:tid 140589085476608] [client ::1:59816] Access granted: 'myuser' GET (null)
> [Fri Jan 19 21:29:57.385402 2018] [authz_svn:info] [pid 3426:tid 140589085476608] [client ::1:59816] Access granted: - GET repo:/muhmiau.txt
>
> That raised several questions:
> 1. Why is my user not "known" for a special file in Case 1, when it generally works? (Case 2)
> 2. Why does the restriction of a right (Case 3) does not lead to a restricted view? As you can see in the log, the user is not known (like Case 1).
>
> For me, especially Case 3 looks suspicious.
>
> Any help would be appreciated.

This is a common misunderstanding. The behaviour looks strange but it is
the result of the fact that per-path permissions in authz rule sets are
combined in a logical OR fashion, rather than logical AND.

Your interpretation of what your ruleset number 3 means assumes logical AND.
In fact, access to the path / is granted because 'myuser' is matched by '*':

         [repo:/]
         * = rw # grant access to anyone
         myuser = # OR don't provide access to this user (has no effect)

This is hinted at in the svnbook at
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html#svn.serverconfig.pathbasedauthz.groups

  "Another important fact is that group permissions are not overridden by
  individual user permissions. Rather, the combination of all matching
  permissions is granted."

Where in your example '*' acts like a group which contains all users.

One solution to this problem is to define a group which includes everyone
except 'myuser' and then use give access to the root path to this group.

By the way, you can use the 'svnauthz accessof' command to test your ruleset.
Received on 2018-01-22 13:09:57 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.