authz's inverted group access rules are only effective for users mentioned in authz
Hello mailing list, I'm migrating a repository from an ancient Subversion installation: svn, version 1.6.17 (r1128011) compiled Jun 2 2011, 23:35:08 (on Windows) to a recent version: svn, version 1.11.0 (r1845130) compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu (on NixOS Linux) And I'm encountering a regression in handling of the authz file by svnserve. Steps to reproduce: # mkdir -p /data/svn # cd /data/svn # svnadmin create myrepo # cat >>myrepo/conf/svnserve.conf <<'END' [general] anon-access = none password-db = passwd authz-db = authz END # cat >>myrepo/conf/passwd <<'END' myuser = mypassword otheruser = otherpassword END # cat >>myrepo/conf/authz <<'END' readonly = otheruser [/] $anonymous = ~@readonly = rw @readonly = r END # svnserve -r /data/svn -d # svn --username myuser --password mypassword --no-auth-cache ls svn://localhost/myrepo svn: E170001: Authorization failed The user "myuser" is not included in group "readonly", so I expect the rule "~@readonly = rw" to take effect, but apparently this doesn't happen. This setup worked fine in the old installation (version 1.6.17). Also, it starts working if I add the user "myuser" to any other group: # in authz, [groups] section unrelatedgroup = myuser or use it in any access rule (even if the rule specifies no access): # in authz, [/] section myuser = I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my guess is that this behaviour results from not setting up user's rights with a call to prepare_global_rights(). When a user is mentioned in authz, this function gets called, and authorization starts working for the user. Possibly correction of this problem could involve adding the new field "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this field would receive access rights from all inverted user-related access rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would combine authz->has_unkn_rights with authz->has_authn_rights (instead of just returning authz->has_authn_rights) when user_rights is NULL. Pavel Goran P.S. I'm not subscribed to the mailing list; please CC me directly when replying.
Re: authz's inverted group access rules are only effective for users mentioned in authz
On 26.11.2018 18:32, Pavel Goran wrote: > Hello mailing list, > > I'm migrating a repository from an ancient Subversion installation: > > svn, version 1.6.17 (r1128011) > compiled Jun 2 2011, 23:35:08 > (on Windows) > > to a recent version: > > svn, version 1.11.0 (r1845130) >compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu > (on NixOS Linux) > > And I'm encountering a regression in handling of the authz file by svnserve. > > Steps to reproduce: [...] > # svnserve -r /data/svn -d > > # svn --username myuser --password mypassword --no-auth-cache ls > svn://localhost/myrepo > svn: E170001: Authorization failed > > The user "myuser" is not included in group "readonly", so I expect the rule > "~@readonly = rw" to take effect, but apparently this doesn't happen. > > This setup worked fine in the old installation (version 1.6.17). Also, it > starts working if I add the user "myuser" to any other group: > > # in authz, [groups] section > unrelatedgroup = myuser > > or use it in any access rule (even if the rule specifies no access): > > # in authz, [/] section > myuser = > > I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my > guess is that this behaviour results from not setting up user's rights with > a call to prepare_global_rights(). When a user is mentioned in authz, this > function gets called, and authorization starts working for the user. > > Possibly correction of this problem could involve adding the new field > "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this > field would receive access rights from all inverted user-related access > rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would > combine authz->has_unkn_rights with authz->has_authn_rights (instead of just > returning authz->has_authn_rights) when user_rights is NULL. > > Pavel Goran > > P.S. I'm not subscribed to the mailing list; please CC me directly when > replying. Thanks for the detailed report! Yes, this is indeed a bug. I see that you've taken time to analyse the code; could you prepare a patch with the fix you propose? Also can you please create an issue in Jira: https://issues.apache.org/jira/projects/SVN/ -- Brane
Re: authz's inverted group access rules are only effective for users mentioned in authz
On 27.11.2018 10:41, Branko Čibej wrote: > On 26.11.2018 18:32, Pavel Goran wrote: >> Hello mailing list, >> >> I'm migrating a repository from an ancient Subversion installation: >> >> svn, version 1.6.17 (r1128011) >> compiled Jun 2 2011, 23:35:08 >> (on Windows) >> >> to a recent version: >> >> svn, version 1.11.0 (r1845130) >>compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu >> (on NixOS Linux) >> >> And I'm encountering a regression in handling of the authz file by svnserve. >> >> Steps to reproduce: > [...] >> # svnserve -r /data/svn -d >> >> # svn --username myuser --password mypassword --no-auth-cache ls >> svn://localhost/myrepo >> svn: E170001: Authorization failed >> >> The user "myuser" is not included in group "readonly", so I expect the rule >> "~@readonly = rw" to take effect, but apparently this doesn't happen. >> >> This setup worked fine in the old installation (version 1.6.17). Also, it >> starts working if I add the user "myuser" to any other group: >> >> # in authz, [groups] section >> unrelatedgroup = myuser >> >> or use it in any access rule (even if the rule specifies no access): >> >> # in authz, [/] section >> myuser = >> >> I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my >> guess is that this behaviour results from not setting up user's rights with >> a call to prepare_global_rights(). When a user is mentioned in authz, this >> function gets called, and authorization starts working for the user. >> >> Possibly correction of this problem could involve adding the new field >> "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this >> field would receive access rights from all inverted user-related access >> rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would >> combine authz->has_unkn_rights with authz->has_authn_rights (instead of just >> returning authz->has_authn_rights) when user_rights is NULL. >> >> Pavel Goran >> >> P.S. I'm not subscribed to the mailing list; please CC me directly when >> replying. > Thanks for the detailed report! Yes, this is indeed a bug. I see that > you've taken time to analyse the code; could you prepare a patch with > the fix you propose? > > Also can you please create an issue in Jira: > https://issues.apache.org/jira/projects/SVN/ I added a test case for this in r1847598, using the reproduction steps described above. -- Brane
Re: authz's inverted group access rules are only effective for users mentioned in authz
On 27.11.2018 22:33, Branko Čibej wrote: > On 27.11.2018 10:41, Branko Čibej wrote: >> On 26.11.2018 18:32, Pavel Goran wrote: >>> Hello mailing list, >>> >>> I'm migrating a repository from an ancient Subversion installation: >>> >>> svn, version 1.6.17 (r1128011) >>> compiled Jun 2 2011, 23:35:08 >>> (on Windows) >>> >>> to a recent version: >>> >>> svn, version 1.11.0 (r1845130) >>>compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu >>> (on NixOS Linux) >>> >>> And I'm encountering a regression in handling of the authz file by svnserve. >>> >>> Steps to reproduce: >> [...] >>> # svnserve -r /data/svn -d >>> >>> # svn --username myuser --password mypassword --no-auth-cache ls >>> svn://localhost/myrepo >>> svn: E170001: Authorization failed >>> >>> The user "myuser" is not included in group "readonly", so I expect the rule >>> "~@readonly = rw" to take effect, but apparently this doesn't happen. >>> >>> This setup worked fine in the old installation (version 1.6.17). Also, it >>> starts working if I add the user "myuser" to any other group: >>> >>> # in authz, [groups] section >>> unrelatedgroup = myuser >>> >>> or use it in any access rule (even if the rule specifies no access): >>> >>> # in authz, [/] section >>> myuser = >>> >>> I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my >>> guess is that this behaviour results from not setting up user's rights with >>> a call to prepare_global_rights(). When a user is mentioned in authz, this >>> function gets called, and authorization starts working for the user. >>> >>> Possibly correction of this problem could involve adding the new field >>> "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this >>> field would receive access rights from all inverted user-related access >>> rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would >>> combine authz->has_unkn_rights with authz->has_authn_rights (instead of just >>> returning authz->has_authn_rights) when user_rights is NULL. >>> >>> Pavel Goran >>> >>> P.S. I'm not subscribed to the mailing list; please CC me directly when >>> replying. >> Thanks for the detailed report! Yes, this is indeed a bug. I see that >> you've taken time to analyse the code; could you prepare a patch with >> the fix you propose? >> >> Also can you please create an issue in Jira: >> https://issues.apache.org/jira/projects/SVN/ > > I added a test case for this in r1847598, using the reproduction steps > described above. https://issues.apache.org/jira/browse/SVN-4793 -- Brane
Re: authz's inverted group access rules are only effective for users mentioned in authz
On 28.11.2018 01:49, Branko Čibej wrote: > On 27.11.2018 22:33, Branko Čibej wrote: >> On 27.11.2018 10:41, Branko Čibej wrote: >>> On 26.11.2018 18:32, Pavel Goran wrote: Hello mailing list, I'm migrating a repository from an ancient Subversion installation: svn, version 1.6.17 (r1128011) compiled Jun 2 2011, 23:35:08 (on Windows) to a recent version: svn, version 1.11.0 (r1845130) compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu (on NixOS Linux) And I'm encountering a regression in handling of the authz file by svnserve. Steps to reproduce: >>> [...] # svnserve -r /data/svn -d # svn --username myuser --password mypassword --no-auth-cache ls svn://localhost/myrepo svn: E170001: Authorization failed The user "myuser" is not included in group "readonly", so I expect the rule "~@readonly = rw" to take effect, but apparently this doesn't happen. This setup worked fine in the old installation (version 1.6.17). Also, it starts working if I add the user "myuser" to any other group: # in authz, [groups] section unrelatedgroup = myuser or use it in any access rule (even if the rule specifies no access): # in authz, [/] section myuser = I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my guess is that this behaviour results from not setting up user's rights with a call to prepare_global_rights(). When a user is mentioned in authz, this function gets called, and authorization starts working for the user. Possibly correction of this problem could involve adding the new field "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this field would receive access rights from all inverted user-related access rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would combine authz->has_unkn_rights with authz->has_authn_rights (instead of just returning authz->has_authn_rights) when user_rights is NULL. Pavel Goran P.S. I'm not subscribed to the mailing list; please CC me directly when replying. >>> Thanks for the detailed report! Yes, this is indeed a bug. I see that >>> you've taken time to analyse the code; could you prepare a patch with >>> the fix you propose? >>> >>> Also can you please create an issue in Jira: >>> https://issues.apache.org/jira/projects/SVN/ >> I added a test case for this in r1847598, using the reproduction steps >> described above. > https://issues.apache.org/jira/browse/SVN-4793 Fixed: http://svn.apache.org/r1847922 -- Brane
