Bug#617414: libapache2-svn: REPORT gives 500 on authz restricted paths if not authenticated (kerberos)

Daniel Piddock Tue, 08 Mar 2011 11:03:38 -0800

Package: libapache2-svn
Version: 1.6.12dfsg-5
Severity: normal

We use svn DAV with kerberos authentication which worked fine. However
recently we created a /secure folder with restricted access. Any attempt to
access the folder using kerberos authentication causes svn to fail with the
error:
svn: Not authorized to open root of edit operation


Looking in the Apache logs, this is caused by the REPORT command
returning 500.

Using basic authorization the commands complete successfully.

The Authz file contains:
"""
[groups]
admins = dgp

[/]
* = r
@admins = rw

[/secure]
* =
@admins = rw
"""

Apache config DAV section:
<Location /svn>
  DAV svn
  SVNPath /srv/svn/root
  SVNPathAuthz On
  AuthzSVNAccessFile /srv/svn/etc/svnpasswd
  Satisfy Any
  AuthType Kerberos
  AuthName "Subversion (or use kerberos)"
  Krb5Keytab "/etc/apache2/apache2.keytab"
  KrbLocalUserMapping on
  KrbDelegateBasic on
  Require valid-user
  <LimitExcept GET PROPFIND OPTIONS REPORT>
    Require valid-user
  </LimitExcept>
</Location>

Apache log for "svn up" using kerberos (libapache2-mod-auth-kerb):
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 
5964
127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 
1236
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 401 
708
127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 
207 916
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 401 
708
127.0.1.1 - dgp [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/secure HTTP/1.1" 
207 916
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/!svn/vcc/default 
HTTP/1.1" 207 580
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "PROPFIND /svn/!svn/bln/6 HTTP/1.1" 
207 580
127.0.1.1 - - [08/Mar/2011:17:39:09 +0000] "REPORT /svn/!svn/vcc/default 
HTTP/1.1" 500 532

Corresponding entries when falling back to basic auth:
127.0.1.1 - - [08/Mar/2011:18:22:27 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 
820
127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 
996
127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/secure HTTP/1.1" 
207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/!svn/vcc/default 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:30 +0000] "PROPFIND /svn/!svn/bln/6 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 
207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/vcc/default 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/bln/6 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 
207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/vcc/default 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/!svn/bc/6/secure 
HTTP/1.1" 207 676
127.0.1.1 - - [08/Mar/2011:18:22:32 +0000] "OPTIONS /svn/secure HTTP/1.1" 401 
6028
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "OPTIONS /svn/secure HTTP/1.1" 200 
996
127.0.1.1 - dgp [08/Mar/2011:18:22:32 +0000] "PROPFIND /svn/secure HTTP/1.1" 
207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/secure HTTP/1.1" 
207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/vcc/default 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/bln/6 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/secure HTTP/1.1" 
207 676
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/vcc/default 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "PROPFIND /svn/!svn/bln/6 
HTTP/1.1" 207 580
127.0.1.1 - dgp [08/Mar/2011:18:22:33 +0000] "REPORT /svn/!svn/vcc/default 
HTTP/1.1" 200 1042

REPORT fails to ask for authentication if none has been provided and instead
throws an error.

Removing anon access ("Satify All" and removing the "LimitExcept" clause)
allows kerberos auth to work correctly.

libapache2-mod-auth-kerb  5.4-1

-- System Information:
Debian Release: 6.0
  APT prefers squeeze-updates
  APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-svn depends on:
ii  apache2.2-common            2.2.16-6     Apache HTTP Server common files
ii  libc6                       2.11.2-10    Embedded GNU C Library: Shared lib
ii  libsvn1                     1.6.12dfsg-5 Shared libraries used by Subversio

libapache2-svn recommends no packages.

Versions of packages libapache2-svn suggests:
ii  db4.8-util                    4.8.30-2   Berkeley v4.8 Database Utilities

-- no debconf information

-- 
Daniel Piddock, Systems Administrator, CoreFiling Limited
http://www.corefiling.com



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#617414: libapache2-svn: REPORT gives 500 on authz restricted paths if not authenticated (kerberos)

Reply via email to