Re: Problem with authorized user and SVN access

From: Torsten Krah <krah.tm_at_gmail.com>
Date: Tue, 23 Jan 2018 14:45:21 +0100

Am Montag, den 22.01.2018, 13:12 +0100 schrieb Torsten Krah:
> Good catch, but this does not explain the first example of the OP:
>
> [repo:/]
> myuser = rw
> - The client (curl) shows me the repo-root but none of the files below.
> - The error_log shows, that my user got authorized on root:
> [Fri Jan 19 21:20:58.735108 2018] [authz_svn:info] [pid 3465:tid
> 140589093869312] [client ::1:59812] Access granted: 'myuser' GET (null)
> - But I'm not allowed to see a file below:
> [Fri Jan 19 21:20:58.735706 2018] [authz_svn:info] [pid 3465:tid
> 140589093869312] [client ::1:59812] Access denied: - GET
> repo:/muhmiau.txt
>
>
> This should be allowed but fails, ideas?
>
> kind regards
>
> Torsten
>

Just curious about that too - i did some further tests here with the
latest svn trunk + httpd 2.4.29 and this config based on the "cfg" file
from the basic_tests.py (just removed the basic auth part and put the
lua call in):

<Location /svn-test-work/repositories>
  DAV svn
  SVNParentPath
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
  LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early
  AuthzSVNAccessFile
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
  Require valid-user
  SVNAdvertiseV2Protocol on
  SVNCacheRevProps off
</Location>

1. First test with this in authz file:

[/]
* = rw

Then error.log reads like that if i request "basic_tests-10/iota"
resource:

http://localhost:3691/svn-test-work/repositories/basic_tests-10/iota

[Tue Jan 23 14:24:43.181106 2018] [mpm_event:debug] [pid 25340:tid
140737265346304] event.c(2175): AH02471: start_threads: Using epoll
(wakeable)
[Tue Jan 23 14:24:53.068175 2018] [authz_svn:debug] [pid 25340:tid
140737127630592] subversion/mod_authz_svn/mod_authz_svn.c(448): [client
127.0.0.1:17290] Path to authz file
is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068400 2018] [authz_svn:info] [pid 25340:tid
140737127630592] [client 127.0.0.1:17290] Access granted: - GET
basic_tests-10:/iota, referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068416 2018] [authz_core:debug] [pid 25340:tid
140737127630592] mod_authz_core.c(809): [client 127.0.0.1:17290]
AH01626: authorization result of Require valid-user : denied (no
authenticated user yet), referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068421 2018] [authz_core:debug] [pid 25340:tid
140737127630592] mod_authz_core.c(809): [client 127.0.0.1:17290]
AH01626: authorization result of <RequireAny>: denied (no authenticated
user yet), referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068748 2018] [lua:debug] [pid 25340:tid
140737127630592] lua_request.c(1838): [client 127.0.0.1:17290] AH01486:
request_rec->dispatching headers_in -> apr table, referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068762 2018] [lua:debug] [pid 25340:tid
140737127630592] lua_request.c(1856): [client 127.0.0.1:17290] AH01488:
request_rec->dispatching user -> string, referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068768 2018] [lua:debug] [pid 25340:tid
140737127630592] lua_request.c(1856): [client 127.0.0.1:17290] AH01488:
request_rec->dispatching user -> string, referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068772 2018] [lua:debug] [pid 25340:tid
140737127630592] lua_request.c(1848): [client 127.0.0.1:17290] AH01487:
request_rec->dispatching debug -> lua_CFunction, referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068778 2018] [lua:debug] [pid 25340:tid
140737127630592] @/etc/apache2/auth.lua(23): [client 127.0.0.1:17290]
user foo: OK, referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068793 2018] [authz_svn:debug] [pid 25340:tid
140737127630592] subversion/mod_authz_svn/mod_authz_svn.c(448): [client
127.0.0.1:17290] Path to authz file
is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:24:53.068823 2018] [authz_svn:info] [pid 25340:tid
140737127630592] [client 127.0.0.1:17290] Access granted: 'foo' GET
basic_tests-10:/iota, referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/

So the access is granted in the first line to "-", after that authz_core
determines that there is yet no user authenticated and the call flow
reaches the configured lua auch hook via authz_core (1:1 from the httpd
docs
https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookaccesschecker) which sets the user and after that authz_svn:info is happy to grant access to user 'foo' for that resource in the last line - fine so far.

Now the second test with that in authz file:

[/]
foo = rw

This should work the same (shouldn't it) - the user will be 'foo' - but
this is the debug output:

[Tue Jan 23 14:31:56.714114 2018] [authz_svn:debug] [pid 27435:tid
140737127630592] subversion/mod_authz_svn/mod_authz_svn.c(448): [client
127.0.0.1:17374] Path to authz file
is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/
[Tue Jan 23 14:31:56.714376 2018] [authz_svn:error] [pid 27435:tid
140737127630592] [client 127.0.0.1:17374] Access denied: - GET
basic_tests-10:/iota, referer:
http://localhost:3691/svn-test-work/repositories/basic_tests-10/

After that the request is already answered with 403 and finished.

mod_authz_core.c had not yet even a chance to run to the authentication
phase and delegate that to the configured lua script.

Any ideas why that request with the user "-" is denied here instead of
processing the chain like above - meaning granted without knowing the
user yet and later on verified and granted with the correct user?

Ideas? Any hints where to put some breakpoints and post values here - i
am not that familiar with the svn source to get the interesting method
calls and values via some gdb help ;).

kind regards

Torsten

application/x-pkcs7-signature attachment: smime.p7s

Received on 2018-01-23 14:45:35 CET

This message: [ Message body ]
Next message: Kenneth Porter: "mailer.py commit says TypeError: must be unicode, not str"
Previous message: Miriam Boucher: "Getting rid of Diff with "file that no longer exists""
In reply to: Torsten Krah: "Re: Problem with authorized user and SVN access"
Next in thread: Torsten Krah: "Re: Problem with authorized user and SVN access"
Reply: Torsten Krah: "Re: Problem with authorized user and SVN access"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]