Re: Subversion access control / Linux users etc.
Thank you very much. On 07/22/2011 02:36 AM, Ryan Schmidt wrote: On Jul 21, 2011, at 06:54, Andy Canfield wrote: The browser, when pointing to http://localhost/svn/RepoName, gives this answer RepoName - Revision 0: / Powered by Subversion version 1.6.12 (r955767). This is true whether RepoName is 'sample' or 'example'. Of course, the only thing mod_dav_svn needs to do in this case is to read the repository, and all files and directories are readable by everyone, regardless of whether they are owned by root or andy. Looks normal to me. It's showing you there is a repository, and it is empty. So the browser access mechanism has no commands to control a repository, only to describe it? It shows you the contents of the HEAD of the repository. There are also URL parameters you can add to look at previous revisions of files. But that's about it. If you want more detailed views into your repository, install a tool dedicated to that purpose, like WebSVN, Trac or ViewVC. http://www.websvn.info/ http://trac.edgewall.org/ http://www.viewvc.org/ Thank you for the three leads. I have installed all three from Ubuntu and will try them out. Logically this might make sense; however I would expect that http://localhost/svn would be capable of listing the repositories It is. You need to add SVNListParentPath On to your httpd configuration. Just as directory listings are off in Apache by default for security reasons, so showing a list of repositories is off by default in Subversion. and creating new repositories. Sorry, that's not a feature of the mod_dav_svn web interface. Administration functions, like creating and deleting repositories and users, is expected to be done by the sysadmin on the command line of the server. If you want a web interface for that, there are other administration-oriented web interfaces you could install, like SVNManager. http://svnmanager.org/ For some strange reason SVNManager is not available through the Ubuntu Linux 11.04 distribution interface. So I'll hold off on that. Thanks for the leads.
Re: Subversion access control
Thank you very much On 07/20/2011 10:27 PM, Geoff Hoffman wrote: Andy, I thought you were off Apache and onto svnserve. Anyway, I sent you this info last week - maybe you missed it. It is pasted again below. I will grant to you that it is tricky to set up. The david winter blog post below spells it out perfectly... for a single repo setup, multiple users. For multi-user, multi-repo setup see my pasted config files below. One thing to note that is confusing is that if your repos are at /subversion/repos/repo1 your Location /svn stays the same. The /svn bit there is what appears in the URL address bar, its not a filesystem path. I have 10 repositories, project1 through project10, physically located on Ubuntu filesystem at /svn/project1 /svn/project2 ... /svn/project10 Here is my /etc/apache2/mods-available/dav_svn.conf (the comments come with the file. This was installed using apt-get on Ubuntu 10.04 LTS.) Location /svn # Uncomment this to enable the repository DAV svn # Set this to the path to your repository #SVNPath /svn # Alternatively, use SVNParentPath if you have multiple repositories under # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...). # You need either SVNPath and SVNParentPath, but not both. SVNParentPath /svn SVNListParentPath on This was the line missing from my config file; It allows me to see the overall pictures. Thanks! # From http://www.redmine.org/projects/redmine/wiki/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl #Order deny,allow Deny from all Satisfy any Makes sense. I changed mine to fit yours. # Access control is done at 3 levels: (1) Apache authentication, via # any of several methods. A Basic Auth section is commented out # below. (2) Apache Limit and LimitExcept, also commented out # below. (3) mod_authz_svn is a svn-specific authorization module # which offers fine-grained read/write access control for paths # within a repository. (The first two layers are coarse-grained; you # can only enable/disable access to an entire repository.) Note that # mod_authz_svn is noticeably slower than the other two layers, so if # you don't need the fine-grained control, don't configure it. # Basic Authentication is repository-wide. It is not secure unless # you are using https. See the 'htpasswd' command to create and # manage the password file - and the documentation for the # 'auth_basic' and 'authn_file' modules, which you will need for this # (enable them with 'a2enmod'). AuthType Basic AuthName Subversion Repository AuthUserFile /etc/apache2/dav_svn.passwd # To enable authorization via mod_authz_svn AuthzSVNAccessFile /etc/apache2/dav_svn.authz # The following three lines allow anonymous read, but make # committers authenticate themselves. It requires the 'authz_user' # module (enable it with 'a2enmod'). #LimitExcept GET PROPFIND OPTIONS REPORT Require valid-user #/LimitExcept /Location Now, here is my /etc/apache2/dav_svn.authz file. [groups] group1 = usera, userb, userc, userd, usere group2 = userc, userb group3 = userf, userg group4 = usera, userb, userc, userd, usere, userf group5 = userh [/] @group1 = rw @group2 = @group3 = @group4 = @group5 = [project1:/] @group1 = rw [project2:/] @group1 = rw userg = rw userf = rw [project4:/] @group1 = rw [project5:/] @group11 = rw [project6:/] @group1 = rw @group5 = rw [project7:/] @group1 = rw [project8:/] @group1 = rw [project9:/] @group1 = rw [project10:/] @group1 = rw @group4 = rw I notice that you don't have any entries that read ... = r; everyone who can read can write also. No need? There is no need to send you the dav_svn.passwd - it merely lists usera through userh with their hashed password. You use the htpasswd program to set your users up. Here is the email I sent before... I read (skimmed) all your posts, and I'm a little confused but I think I know where you're going. I'm not sure if you're using Apache to serve your repositories. If you are, you should check out this: http://davidwinter.me/articles/2006/03/03/access-control-for-subversion-with-apache2-and-authz/ and this https://help.ubuntu.com/community/Subversion I recently followed the blog above and got everything setup how I think you want it. You can control user access to multiple repos in three ways, the blog explains it all, except one thing. I found that this is for folder-level control on one repository: |[/] @team = r bob = rw [/wowapp/trunk] @team = r @devteam = rw brenda = rw| In my authz control file, multiple repositories are done like this (note the repo name and colon): |[repoA:/] @team = r bob = rw [repoB:/] @team = r @devteam = rw brenda = rw| I also put websvn on it, and use the configuration option Looks interesting; I installed it. Lots of configuration to do; will do later. $config-useAuthenticationFile('/path/to/your/authz/file'); which I found
Re: Subversion access control
On Thu, Jul 21, 2011 at 11:19 PM, Andy Canfield andy.canfi...@pimco.mobiwrote: I notice that you don't have any entries that read ... = r; everyone who can read can write also. No need? Yeah, I just don't have a use case for that. The RSS feed of a repo commits from websvn is much more useful than read-only access to the server (basically websvn provides read-only access in a browser, all nice and pretty.) I'm glad you got it working! It's worth it in the end. The insurance policy that an SCM system provides is priceless.
Re: Subversion access control / Linux users etc.
More user/command interaction - The commands to create the Subversion Repository Parent directory were *sudo bash mkdir /data/svn chmod a+w /data/svn* This created this directory: *drwxrwxrwx 4 root 4096 2011-07-21 17:36 /data/svn/* I ran this command as user root: *svnadmin create /data/svn/sample* and what I get is *drwxr-xr-x 6 root 4096 2011-07-21 11:08 /data/svn/sample/* I ran this command as user andy: *svnadmin create /data/svn/example* and what I got is *drwxr-xr-x 6 andy 4096 2011-07-21 17:36 /data/svn/example/* It concerns me that apache is running as user 'www-data' and niether of these repositories are owned by, or even writable by, www-data. So I did these commands: *sudo bash su www-data svnadmin create geronimo* The output of the last command was as follows: *svnadmin: Repository creation failed svnadmin: Could not create top-level directory svnadmin: Can't create directory 'geronimo': Permission denied* That surprises me; the /data/svn directory is writable by everyone. Ah well. The browser, when pointing to http://localhost/svn/RepoName, gives this answer *RepoName - Revision 0: / Powered by Subversion version 1.6.12 (r955767)*. This is true whether RepoName is 'sample' or 'example'. Of course, the only thing mod_dav_svn needs to do in this case is to read the repository, and all files and directories are readable by everyone, regardless of whether they are owned by root or andy. So the browser access mechanism has no commands to control a repository, only to describe it? Logically this might make sense; however I would expect that http://localhost/svn would be capable of listing the repositories and creating new repositories.. But when I point the browser to http://localhost/svn I get this response: *Forbidden You don't have permission to access /svn/ on this server. Apache/2.2.17 (Ubuntu) Server at localhost Port 80* When I look at /var/log/apache2/error.log I see these lines: *[Thu Jul 21 17:54:04 2011] [error] [client 127.0.0.1] Could not fetch resource information. [403, #0] [Thu Jul 21 17:54:04 2011] [error] [client 127.0.0.1] (2)No such file or directory: The URI does not contain the name of a repository. [403, #190001]* Ahah! So http://localhost/svn is NOT a valid Subversion URL. I was mistaken when I thought someone said that the Apache browser interface could give me a list of the repositories. PROBLEMS WITH THE 'SVN' COMMAND - As Linux user 'andy'. Here goes: *rm -rf .subversion svn info http://localhost/svn/sample --username='andy' --password=not-shown'* *Password for 'default' GNOME keyring: svn: OPTIONS of 'http://localhost/svn/sample': authorization failed: Could not authenticate to server: rejected Basic challenge (http://localhost) *The fact is that, as far as I know, I DONT HAVE ANY %$#@! GNOME KEYRING! So when it asked for the Password for 'default' GNOME keyring I just pressed Enter. Then authenticiation failed. OK, so I have completely removed the gnome-keyring package. I also had to wipe out the ~/.gnome2/keywrings directory. Now to try again. Wait. Wait some more. Go down to 7/11; buy a hot dog and some potato chips. Come back home. It's been 20-30 minutes. Command still hasn't completed. Nothing in /var/log/apache2/error.log. Just a dead svn program. Had to kill -9. When it comes to plants, some people have a green thumb; I have a brown thumb. Looks like when it comes to Subversion I have a black thumb.
Re: Subversion access control
On Wed, Jul 20, 2011 at 9:14 PM, Andy Canfield andy.canfi...@pimco.mobiwrote: ** Thank you very much. On 07/20/2011 12:19 PM, Nico Kadel-Garcia wrote: On Tue, Jul 19, 2011 at 11:14 PM, Andy Canfieldandy.canfi...@pimco.mobi andy.canfi...@pimco.mobi wrote: One thing has hit my mind today that I don't think you realize ... I have never, in my entire life, seen a working Subversion system. Apparently Subversion, as distributed, doesn't work - the access authentications are deliberately turned off. I'm afraid it depends on your access requirements. Seriously. Which access technology are you using? svn+ssh (which I tend to recommend), or Apache (using https://), or svn directorly (svn://) Start with that and we'll walk you through it. OK, here goes. I would like to use http/https. I am not supposed to be working on the server, but on my notebook workstation. And svn or svn+ssh require port 3690 to be forwarded by the router, and we don't own the router. So I would prefer http and/or https. But on the actual server https is screwed up because mod_dev_svn.so is a year earlier than Apache, and apparently there is a version mismatch. When svn is enabled apache is dead. I have put in a request for my friend to re-install, but that could take a week. So for the interim I have installed mod_dav etc. on my notebook computer. FYI it is running Ubuntu Linux 1.04. This is for testing. Directory /etc/apache2/modes-enabled contains the file dav.load with this contents: *LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so* That same directoy also contains the file dav_syn.load with these contents: *# Depends: dav LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so* That same directory also contains the file dav_svn.conf which I altered; this is the altered contents: *# dav_svn.conf - Example Subversion/Apache configuration # # For details and further options see the Apache user manual and # the Subversion book. # # NOTE: for a setup with multiple vhosts, you will want to do this # configuration in /etc/apache2/sites-available/*, not here. # Location URL ... /Location # URL controls how the repository appears to the outside world. # In this example clients access the repository as http://hostname/svn/ # Note, a literal /svn should NOT exist in your document root. Location /svn # Uncomment this to enable the repository DAV svn # Set this to the path to your repository #SVNPath /var/lib/svn # Alternatively, use SVNParentPath if you have multiple repositories under # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...). # You need either SVNPath and SVNParentPath, but not both. #SVNParentPath /var/lib/svn SVNParentPath /data/svn # Access control is done at 3 levels: (1) Apache authentication, via # any of several methods. A Basic Auth section is commented out # below. (2) Apache Limit and LimitExcept, also commented out # below. (3) mod_authz_svn is a svn-specific authorization module # which offers fine-grained read/write access control for paths # within a repository. (The first two layers are coarse-grained; you # can only enable/disable access to an entire repository.) Note that # mod_authz_svn is noticeably slower than the other two layers, so if # you don't need the fine-grained control, don't configure it. # Basic Authentication is repository-wide. It is not secure unless # you are using https. See the 'htpasswd' command to create and # manage the password file - and the documentation for the # 'auth_basic' and 'authn_file' modules, which you will need for this # (enable them with 'a2enmod'). #AuthType Basic #AuthName Subversion Repository #AuthUserFile /etc/apache2/dav_svn.passwd AuthType Basic AuthName Lenny Subversion Repository AuthUserFile /etc/apache2/dav_svn.passwd # To enable authorization via mod_authz_svn #AuthzSVNAccessFile /etc/apache2/dav_svn.authz # The following three lines allow anonymous read, but make # committers authenticate themselves. It requires the 'authz_user' # module (enable it with 'a2enmod'). #LimitExcept GET PROPFIND OPTIONS REPORT #Require valid-user #/LimitExcept * * Require valid-user* * /Location * By the way, all three of the above files in /etc/apache2/mods-enabled are actually symbolic links to the same file name in ../mods-available. I used sudo htpasswd to create the /etc/apache2/dav_svn.passwd file: *andy:4izmp7W8TSqww* Also I created my subversion directory like this:\ *sudo bash mkdir /data/svn chmod a+w /data/svn* *ls /data/svn **drwxrwxrwx 2 root root 4096 2011-07-21 10:53 /data/svn* Now I point my browser to http://localhost/svn and I get a prompt for a user name and password. If I type in my valid user name andy and
Re: Subversion access control
On Wed, Jul 20, 2011 at 9:14 PM, Andy Canfield andy.canfi...@pimco.mobiwrote: ** Thank you very much. On 07/20/2011 12:19 PM, Nico Kadel-Garcia wrote: On Tue, Jul 19, 2011 at 11:14 PM, Andy Canfieldandy.canfi...@pimco.mobi andy.canfi...@pimco.mobi wrote: One thing has hit my mind today that I don't think you realize ... I have never, in my entire life, seen a working Subversion system. Apparently Subversion, as distributed, doesn't work - the access authentications are deliberately turned off. I'm afraid it depends on your access requirements. Seriously. Which access technology are you using? svn+ssh (which I tend to recommend), or Apache (using https://), or svn directorly (svn://) Start with that and we'll walk you through it. OK, here goes. I would like to use http/https. I am not supposed to be working on the server, but on my notebook workstation. And svn or svn+ssh require port 3690 to be forwarded by the router, and we don't own the router. So I would prefer http and/or https. But on the actual server https is screwed up because mod_dev_svn.so is a year earlier than Apache, and apparently there is a version mismatch. When svn is enabled apache is dead. I have put in a request for my friend to re-install, but that could take a week. So for the interim I have installed mod_dav etc. on my notebook computer. FYI it is running Ubuntu Linux 1.04. This is for testing. Directory /etc/apache2/modes-enabled contains the file dav.load with this contents: *LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so* That same directoy also contains the file dav_syn.load with these contents: *# Depends: dav LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so * That same directory also contains the file dav_svn.conf which I altered; this is the altered contents: *# dav_svn.conf - Example Subversion/Apache configuration # # For details and further options see the Apache user manual and # the Subversion book. # # NOTE: for a setup with multiple vhosts, you will want to do this # configuration in /etc/apache2/sites-available/*, not here. # Location URL ... /Location # URL controls how the repository appears to the outside world. # In this example clients access the repository as http://hostname/svn/ # Note, a literal /svn should NOT exist in your document root. Location /svn # Uncomment this to enable the repository DAV svn # Set this to the path to your repository #SVNPath /var/lib/svn # Alternatively, use SVNParentPath if you have multiple repositories under # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...). # You need either SVNPath and SVNParentPath, but not both. #SVNParentPath /var/lib/svn SVNParentPath /data/svn # Access control is done at 3 levels: (1) Apache authentication, via # any of several methods. A Basic Auth section is commented out # below. (2) Apache Limit and LimitExcept, also commented out # below. (3) mod_authz_svn is a svn-specific authorization module # which offers fine-grained read/write access control for paths # within a repository. (The first two layers are coarse-grained; you # can only enable/disable access to an entire repository.) Note that # mod_authz_svn is noticeably slower than the other two layers, so if # you don't need the fine-grained control, don't configure it. # Basic Authentication is repository-wide. It is not secure unless # you are using https. See the 'htpasswd' command to create and # manage the password file - and the documentation for the # 'auth_basic' and 'authn_file' modules, which you will need for this # (enable them with 'a2enmod'). #AuthType Basic #AuthName Subversion Repository #AuthUserFile /etc/apache2/dav_svn.passwd AuthType Basic AuthName Lenny Subversion Repository AuthUserFile /etc/apache2/dav_svn.passwd # To enable authorization via mod_authz_svn #AuthzSVNAccessFile /etc/apache2/dav_svn.authz # The following three lines allow anonymous read, but make # committers authenticate themselves. It requires the 'authz_user' # module (enable it with 'a2enmod'). #LimitExcept GET PROPFIND OPTIONS REPORT #Require valid-user #/LimitExcept * * Require valid-user* * /Location * By the way, all three of the above files in /etc/apache2/mods-enabled are actually symbolic links to the same file name in ../mods-available. I used sudo htpasswd to create the /etc/apache2/dav_svn.passwd file: *andy:4izmp7W8TSqww* Also I created my subversion directory like this:\ *sudo bash mkdir /data/svn chmod a+w /data/svn* *ls /data/svn **drwxrwxrwx 2 root root 4096 2011-07-21 10:53 /data/svn* Now I point my browser to http://localhost/svn and I get a prompt for a user name and password. If I type in my valid user
Re: Subversion access control / Linux users etc.
On Thu, Jul 21, 2011 at 4:54 AM, Andy Canfield andy.canfi...@pimco.mobiwrote: ** More user/command interaction - The commands to create the Subversion Repository Parent directory were *sudo bash mkdir /data/svn chmod a+w /data/svn* This created this directory: *drwxrwxrwx 4 root 4096 2011-07-21 17:36 /data/svn/* I ran this command as user root: *svnadmin create /data/svn/sample* and what I get is *drwxr-xr-x 6 root 4096 2011-07-21 11:08 /data/svn/sample/* I ran this command as user andy: *svnadmin create /data/svn/example* and what I got is *drwxr-xr-x 6 andy 4096 2011-07-21 17:36 /data/svn/example/* It concerns me that apache is running as user 'www-data' and niether of these repositories are owned by, or even writable by, www-data. So I did these commands: *sudo bash su www-data svnadmin create geronimo* The output of the last command was as follows: *svnadmin: Repository creation failed svnadmin: Could not create top-level directory svnadmin: Can't create directory 'geronimo': Permission denied* That surprises me; the /data/svn directory is writable by everyone. Ah well. The browser, when pointing to http://localhost/svn/RepoName, gives this answer *RepoName - Revision 0: / Powered by Subversion version 1.6.12 (r955767)*. This is true whether RepoName is 'sample' or 'example'. Of course, the only thing mod_dav_svn needs to do in this case is to read the repository, and all files and directories are readable by everyone, regardless of whether they are owned by root or andy. So the browser access mechanism has no commands to control a repository, only to describe it? Logically this might make sense; however I would expect that http://localhost/svn would be capable of listing the repositories and creating new repositories.. But when I point the browser to http://localhost/svn I get this response: *Forbidden You don't have permission to access /svn/ on this server. Apache/2.2.17 (Ubuntu) Server at localhost Port 80* When I look at /var/log/apache2/error.log I see these lines: *[Thu Jul 21 17:54:04 2011] [error] [client 127.0.0.1] Could not fetch resource information. [403, #0] [Thu Jul 21 17:54:04 2011] [error] [client 127.0.0.1] (2)No such file or directory: The URI does not contain the name of a repository. [403, #190001]* Ahah! So http://localhost/svn is NOT a valid Subversion URL. I was mistaken when I thought someone said that the Apache browser interface could give me a list of the repositories. PROBLEMS WITH THE 'SVN' COMMAND - As Linux user 'andy'. Here goes: *rm -rf .subversion ****svn info http://localhost/svn/sample --username='andy' --password=not-shown'* *Password for 'default' GNOME keyring: svn: OPTIONS of 'http://localhost/svn/sample': authorization failed: Could not authenticate to server: rejected Basic challenge ( http://localhost) *The fact is that, as far as I know, I DONT HAVE ANY %$#@! GNOME KEYRING! So when it asked for the Password for 'default' GNOME keyring I just pressed Enter. Then authenticiation failed. OK, so I have completely removed the gnome-keyring package. I also had to wipe out the ~/.gnome2/keywrings directory. Now to try again. Wait. Wait some more. Go down to 7/11; buy a hot dog and some potato chips. Come back home. It's been 20-30 minutes. Command still hasn't completed. Nothing in /var/log/apache2/error.log. Just a dead svn program. Had to kill -9. When it comes to plants, some people have a green thumb; I have a brown thumb. Looks like when it comes to Subversion I have a black thumb. I feel for you, Andy. I had all these same problems you're having. The whole gnome-keyring thing is a bad decision IMO, or at least, to use only gnome-keyring or kwallet. Why they didn't leave the default password storage options from 1.4x is a mystery. You are definitely not the first person to have confusion and issues over this. From what I read they changed the behavior between Subversion server 1.4 to 1.5/1.6 to use this new/different authentication scheme. I never fixed that on my server, either, on my server. I'm running Ubuntu Server 10.04 LTS and there is no desktop so there is no gnome keyring. I just keep saying 'no' when it asks to store plaintext passwords, and have to enter my password every command I do. This is okay for me because 95% of the commands I run are not on the server but from a remote client, and my IDE, both of which store my password for me. http://blogs.collab.net/subversion/2009/07/subversion-16-security-improvements/ If *you are not* concerned about the security issues surrounding storing plaintext passwords, then you can enable that option in the [global] section of your /etc/subversion/servers file: store-plaintext-passwords = yes If *you are* concerned about security issues like this, you can try gnome-keyring or kwallet.
Re: Subversion access control / Linux users etc.
The issues with passwords is why we ended up going with SSH public-key authentication. Load the SSH key into the SSH agent, unlock it with the passphrase, then don't worry about it again until we reset the SSH agent at logout. Less prompts, happier users. (Plus it makes it harder to get into our servers since we don't allow password authentication.)
Re: Subversion access control
Andy, I thought you were off Apache and onto svnserve. Anyway, I sent you this info last week - maybe you missed it. It is pasted again below. I will grant to you that it is tricky to set up. The david winter blog post below spells it out perfectly... for a single repo setup, multiple users. For multi-user, multi-repo setup see my pasted config files below. One thing to note that is confusing is that if your repos are at /subversion/repos/repo1 your Location /svn stays the same. The /svn bit there is what appears in the URL address bar, its not a filesystem path. I have 10 repositories, project1 through project10, physically located on Ubuntu filesystem at /svn/project1 /svn/project2 ... /svn/project10 Here is my /etc/apache2/mods-available/dav_svn.conf (the comments come with the file. This was installed using apt-get on Ubuntu 10.04 LTS.) Location /svn # Uncomment this to enable the repository DAV svn # Set this to the path to your repository #SVNPath /svn # Alternatively, use SVNParentPath if you have multiple repositories under # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...). # You need either SVNPath and SVNParentPath, but not both. SVNParentPath /svn SVNListParentPath on # From http://www.redmine.org/projects/redmine/wiki/Repositories_access_control_with_apache_mod_dav_svn_and_mod_perl #Order deny,allow Deny from all Satisfy any # Access control is done at 3 levels: (1) Apache authentication, via # any of several methods. A Basic Auth section is commented out # below. (2) Apache Limit and LimitExcept, also commented out # below. (3) mod_authz_svn is a svn-specific authorization module # which offers fine-grained read/write access control for paths # within a repository. (The first two layers are coarse-grained; you # can only enable/disable access to an entire repository.) Note that # mod_authz_svn is noticeably slower than the other two layers, so if # you don't need the fine-grained control, don't configure it. # Basic Authentication is repository-wide. It is not secure unless # you are using https. See the 'htpasswd' command to create and # manage the password file - and the documentation for the # 'auth_basic' and 'authn_file' modules, which you will need for this # (enable them with 'a2enmod'). AuthType Basic AuthName Subversion Repository AuthUserFile /etc/apache2/dav_svn.passwd # To enable authorization via mod_authz_svn AuthzSVNAccessFile /etc/apache2/dav_svn.authz # The following three lines allow anonymous read, but make # committers authenticate themselves. It requires the 'authz_user' # module (enable it with 'a2enmod'). #LimitExcept GET PROPFIND OPTIONS REPORT Require valid-user #/LimitExcept /Location Now, here is my /etc/apache2/dav_svn.authz file. [groups] group1 = usera, userb, userc, userd, usere group2 = userc, userb group3 = userf, userg group4 = usera, userb, userc, userd, usere, userf group5 = userh [/] @group1 = rw @group2 = @group3 = @group4 = @group5 = [project1:/] @group1 = rw [project2:/] @group1 = rw userg = rw userf = rw [project4:/] @group1 = rw [project5:/] @group11 = rw [project6:/] @group1 = rw @group5 = rw [project7:/] @group1 = rw [project8:/] @group1 = rw [project9:/] @group1 = rw [project10:/] @group1 = rw @group4 = rw There is no need to send you the dav_svn.passwd - it merely lists usera through userh with their hashed password. You use the htpasswd program to set your users up. Here is the email I sent before... I read (skimmed) all your posts, and I'm a little confused but I think I know where you're going. I'm not sure if you're using Apache to serve your repositories. If you are, you should check out this: http://davidwinter.me/articles/2006/03/03/access-control-for-subversion-with-apache2-and-authz/ and this https://help.ubuntu.com/community/Subversion I recently followed the blog above and got everything setup how I think you want it. You can control user access to multiple repos in three ways, the blog explains it all, except one thing. I found that this is for folder-level control on one repository: [/] @team = r bob = rw [/wowapp/trunk] @team = r @devteam = rw brenda = rw In my authz control file, multiple repositories are done like this (note the repo name and colon): [repoA:/] @team = r bob = rw [repoB:/] @team = r @devteam = rw brenda = rw I also put websvn on it, and use the configuration option $config-useAuthenticationFile('/path/to/your/authz/file'); which I found on this stackoverflow QAhttp://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn . http://serverfault.com/questions/13853/how-do-i-restrict-repository-access-via-websvn
Re: Subversion access control
Thank you very much. On 07/20/2011 12:19 PM, Nico Kadel-Garcia wrote: On Tue, Jul 19, 2011 at 11:14 PM, Andy Canfield andy.canfi...@pimco.mobi wrote: One thing has hit my mind today that I don't think you realize ... I have never, in my entire life, seen a working Subversion system. Apparently Subversion, as distributed, doesn't work - the access authentications are deliberately turned off. I'm afraid it depends on your access requirements. Seriously. Which access technology are you using? svn+ssh (which I tend to recommend), or Apache (using https://), or svn directorly (svn://) Start with that and we'll walk you through it. OK, here goes. I would like to use http/https. I am not supposed to be working on the server, but on my notebook workstation. And svn or svn+ssh require port 3690 to be forwarded by the router, and we don't own the router. So I would prefer http and/or https. But on the actual server https is screwed up because mod_dev_svn.so is a year earlier than Apache, and apparently there is a version mismatch. When svn is enabled apache is dead. I have put in a request for my friend to re-install, but that could take a week. So for the interim I have installed mod_dav etc. on my notebook computer. FYI it is running Ubuntu Linux 1.04. This is for testing. Directory /etc/apache2/modes-enabled contains the file dav.load with this contents: *LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so* That same directoy also contains the file dav_syn.load with these contents: *# Depends: dav LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so* That same directory also contains the file dav_svn.conf which I altered; this is the altered contents: *# dav_svn.conf - Example Subversion/Apache configuration # # For details and further options see the Apache user manual and # the Subversion book. # # NOTE: for a setup with multiple vhosts, you will want to do this # configuration in /etc/apache2/sites-available/*, not here. # Location URL ... /Location # URL controls how the repository appears to the outside world. # In this example clients access the repository as http://hostname/svn/ # Note, a literal /svn should NOT exist in your document root. Location /svn # Uncomment this to enable the repository DAV svn # Set this to the path to your repository #SVNPath /var/lib/svn # Alternatively, use SVNParentPath if you have multiple repositories under # under a single directory (/var/lib/svn/repo1, /var/lib/svn/repo2, ...). # You need either SVNPath and SVNParentPath, but not both. #SVNParentPath /var/lib/svn SVNParentPath /data/svn # Access control is done at 3 levels: (1) Apache authentication, via # any of several methods. A Basic Auth section is commented out # below. (2) Apache Limit and LimitExcept, also commented out # below. (3) mod_authz_svn is a svn-specific authorization module # which offers fine-grained read/write access control for paths # within a repository. (The first two layers are coarse-grained; you # can only enable/disable access to an entire repository.) Note that # mod_authz_svn is noticeably slower than the other two layers, so if # you don't need the fine-grained control, don't configure it. # Basic Authentication is repository-wide. It is not secure unless # you are using https. See the 'htpasswd' command to create and # manage the password file - and the documentation for the # 'auth_basic' and 'authn_file' modules, which you will need for this # (enable them with 'a2enmod'). #AuthType Basic #AuthName Subversion Repository #AuthUserFile /etc/apache2/dav_svn.passwd AuthType Basic AuthName Lenny Subversion Repository AuthUserFile /etc/apache2/dav_svn.passwd # To enable authorization via mod_authz_svn #AuthzSVNAccessFile /etc/apache2/dav_svn.authz # The following three lines allow anonymous read, but make # committers authenticate themselves. It requires the 'authz_user' # module (enable it with 'a2enmod'). #LimitExcept GET PROPFIND OPTIONS REPORT #Require valid-user #/LimitExcept * * Require valid-user* * /Location * By the way, all three of the above files in /etc/apache2/mods-enabled are actually symbolic links to the same file name in ../mods-available. I used sudo htpasswd to create the /etc/apache2/dav_svn.passwd file: *andy:4izmp7W8TSqww* Also I created my subversion directory like this:\ *sudo bash mkdir /data/svn chmod a+w /data/svn* *ls /data/svn **drwxrwxrwx 2 root root 4096 2011-07-21 10:53 /data/svn* Now I point my browser to http://localhost/svn and I get a prompt for a user name and password. If I type in my valid user name andy and a completely spurious password, I get prompted again. But if I type in my valid user name and password (as given when I created the dav_svn.passwd file), the result is: *Forbidden You
Re: Subversion access control
OFF THE SUBJECT OF APACHE, NOW TRYING TO ACCESS SVNSERVE VIA PORT 3690 /var/svn/config/svnserve.conf has been changed from the default to show *anon-access = none password-db = passwd authz-db = authz* The passwd file contains *andy = canfield* The authz file contains: *[/sample] andy = rw* The repository /var/svn/sample contains a subdirectory 'conf' containing svnserve.conf, passwd, and authz files which are symbolic links to the files in /var/svn/config. The svnserve was run with this command: */usr/bin/svnserve --daemon --root=/var/svn --config-file=/var/svn/config/svnserve.conf * I have one repository defined named sample. The command: *svn info svn://localhost/sample *Gave this response: *Authentication realm: svn://localhost:3690 5a3a5c16-49ac-46d9-b1e8-d48cc97c4754 Password for 'andy': Authentication realm: svn://localhost:3690 5a3a5c16-49ac-46d9-b1e8-d48cc97c4754 Username: andy Password for 'andy': --- ATTENTION! Your password for authentication realm: svn://localhost:3690 5a3a5c16-49ac-46d9-b1e8-d48cc97c4754 can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passwords encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-plaintext-passwords' option to either 'yes' or 'no' in '/Users/andy/.subversion/servers'. --- Store password unencrypted (yes/no)? yes svn: Authorization failed * [1] Why does it ask for the password for andy, then ask for a user name and password? [2] What is an authentication realm? [3] Why does it talk about STORING my password, when as far as I know all subversion does is check your password against the contents of the passwd file. [4] Why doesauthentication fail? [5] Why does authentication fail immediately afer the first time? [6] I now have an entire directory tree named .subversion in my home directory. I have no idea what any of this stuff is or is supposed to be. Is this what is blocking me from my repository? [7] The repository was created by svnadmin create ... which has to be executed as root. Does this mean that only root can access this repository from now on? That doesn't make sense.
Re: Subversion access control
On Tue, Jul 19, 2011 at 06:50, Andy Canfield andy.canfi...@pimco.mobi wrote: OFF THE SUBJECT OF APACHE, NOW TRYING TO ACCESS SVNSERVE VIA PORT 3690 /var/svn/config/svnserve.conf has been changed from the default to show anon-access = none password-db = passwd authz-db = authz The passwd file contains andy = canfield The authz file contains: [/sample] andy = rw The repository /var/svn/sample contains a subdirectory 'conf' containing svnserve.conf, passwd, and authz files which are symbolic links to the files in /var/svn/config. The svnserve was run with this command: /usr/bin/svnserve --daemon --root=/var/svn --config-file=/var/svn/config/svnserve.conf I have one repository defined named sample. The command: svn info svn://localhost/sample Gave this response: Authentication realm: svn://localhost:3690 5a3a5c16-49ac-46d9-b1e8-d48cc97c4754 Password for 'andy': Authentication realm: svn://localhost:3690 5a3a5c16-49ac-46d9-b1e8-d48cc97c4754 Username: andy Password for 'andy': --- ATTENTION! Your password for authentication realm: svn://localhost:3690 5a3a5c16-49ac-46d9-b1e8-d48cc97c4754 can only be stored to disk unencrypted! You are advised to configure your system so that Subversion can store passwords encrypted, if possible. See the documentation for details. You can avoid future appearances of this warning by setting the value of the 'store-plaintext-passwords' option to either 'yes' or 'no' in '/Users/andy/.subversion/servers'. --- Store password unencrypted (yes/no)? yes svn: Authorization failed [1] Why does it ask for the password for andy, then ask for a user name and password? Because the first attempt, it assumed the same ID that you use to log onto the host system or it had cached that ID previously. When that authentication failed, it prompted for a new set of credentials. [2] What is an authentication realm? Google can explain it better than I. [3] Why does it talk about STORING my password, when as far as I know all subversion does is check your password against the contents of the passwd file. Subversion caches your credentials locally unless you tell it not to. [4] Why doesauthentication fail? [5] Why does authentication fail immediately afer the first time? Because your authentication configuration setup is invalid and the server can't figure out how to properly authenticate you. [6] I now have an entire directory tree named .subversion in my home directory. I have no idea what any of this stuff is or is supposed to be. Is this what is blocking me from my repository? This is where your client stores its local configuration information. [7] The repository was created by svnadmin create ... which has to be executed as root. Does this mean that only root can access this repository from now on? That doesn't make sense. svnadmin create can be executed by anyone. The permissions required are due to the ACL on the directory in which you created the repository. The user ID under which your Subversion server process executes must have full permission on this directory. IOW - change ownership to whatever ID svnserve is running under.
Re: Subversion access control
Guten Tag Andy Canfield, am Dienstag, 19. Juli 2011 um 12:50 schrieben Sie: [1] Why does it ask for the password for andy, then ask for a user name and password? The svn client first tried the last used user or your current username on underlying OS. [2] What is an authentication realm? It's some some string to show you to which repository you want to authorize. It can be configured in the repository configuration using the realm key. This way you wouldn't get GUIDs liek above, but for example Repo XY. realm = Repo XY [3] Why does it talk about STORING my password, when as far as I know all subversion does is check your password against the contents of the passwd file. The svn client ca store your password for convenience. [4] Why doesauthentication fail? The passwd file could not be read or you provided the wrong password. [5] Why does authentication fail immediately afer the first time? Same like [4]. [6] I now have an entire directory tree named .subversion in my home directory. I have no idea what any of this stuff is or is supposed to be. Is this what is blocking me from my repository? Unlikely, in this directory the client stores auth credentials etc. [7] The repository was created by svnadmin create ... which has to be executed as root. Does this mean that only root can access this repository from now on? That doesn't make sense. If you mean access in the svn-way, than now, everyone in passwd can access the repository. If you mean access in terms of file systems, than it depends on the permissions who can make what. Mit freundlichen Grüßen, Thorsten Schöning -- Thorsten Schöning AM-SoFT IT-Systeme - Hameln | Potsdam | Leipzig Telefon: Potsdam: 0331-743881-0 E-Mail: tschoen...@am-soft.de Web: http://www.am-soft.de AM-SoFT GmbH IT-Systeme, Konsumhof 1-5, 14482 Potsdam Amtsgericht Potsdam HRB 21278 P, Geschäftsführer: Andreas Muchow
RE: Subversion access control
Guten Tag Andy Canfield, am Dienstag, 19. Juli 2011 um 12:50 schrieben Sie: [1] Why does it ask for the password for andy, then ask for a user name and password? The svn client first tried the last used user or your current username on underlying OS. [2] What is an authentication realm? It's some some string to show you to which repository you want to authorize. It can be configured in the repository configuration using the realm key. This way you wouldn't get GUIDs liek above, but for example Repo XY. realm = Repo XY The realm is a way that you can have a poor mans single sign on. Basically if you equate a realm to a password file this works well. For example, if you have 3 repos that all use the same password file you can use the same realm for all of them. The credentials on the client are cached at the realm level. So, if you use a separate realm for each repo then you have to log in the first time you use each repo. However, if you specify the same realm for each repository then once the client has credentials for a certain realm cached it won't need to request credentials again. BOb
Re: Subversion access control
On Tue, Jul 19, 2011 at 11:14 PM, Andy Canfield andy.canfi...@pimco.mobi wrote: One thing has hit my mind today that I don't think you realize ... I have never, in my entire life, seen a working Subversion system. Apparently Subversion, as distributed, doesn't work - the access authentications are deliberately turned off. I'm afraid it depends on your access requirements. Seriously. Which access technology are you using? svn+ssh (which I tend to recommend), or Apache (using https://), or svn directorly (svn://) Start with that and we'll walk you through it. And please read the walkthroughs at http://svnbook.red-bean.com/, which are pretty good, so we can help based on *which* approach you want to use. It would be really neat if somebody had a sample repository on Linux in /var/svn and could tar it up and get it to me. Or zip it along with 'ls -l' output also. E-mail it or post it on the internet. I would like to see what the contents of server.conf and passwd and authz are IN AN ACTUAL WORKING SYSTEM. I would like to see what the file ownerships are and file access permisions. I could test this. I could make obvious changes to it ( e.g. user names) and it should continue to work. Having a working Subversion system I could then make small incremental changes to it and keeping it working. I would like to have a working system that I could break, rather than a broken system that I can't figure out how to fix. Thanks.
Subversion access control
We are running svnserve on a Mac OS X. I can not get the subversion server to control access. I executed the server by this command: */usr/bin/svnserve --daemon --root=/var/svn --config-file=/var/svn/config/svnserve.conf* As long as file /var/svn/config/svnserve.conf contains the original line: *# anon-access = read* this command works: *svn info svn://localhost/sample* Of COURSE I don't want random hackers to have read access to my source code ! As soon as that line is changed to *anon-access = none* the error message comes back: *svn: No access allowed to this repository* (By the way, I originally changed the # to a space and got an error on that line. Apparently the keyword MUST start in the first column.) I have added this line to 'passwd' - *andy = canfield* I have added these lines to 'authz' - *[/sample] andy = rw* The documentation for 'svn' says that if you don't give a user name and password you will be prompted for them. I have never under an circumstances been prompted. Even this command fails with the same error message: *svn info --username=andy --password=canfield svn://localhost/sample*
Subversion: Access control management
The file /var/svn/sample/README.txt says *This is a Subversion repository; use the 'svnadmin' tool to examine it. Do not add, delete, or modify files here unless you know how to avoid corrupting the repository.* but as far as I know there are no svnadmin tools to control access to the repository; the only way to control access to the repository is to manually edit the files in the 'conf' subdirectory, which the README.txt file tells you not to do.
Re: Subversion access control
On Sun, Jul 17, 2011 at 02:06, Andy Canfield andy.canfi...@pimco.mobi wrote: We are running svnserve on a Mac OS X. I can not get the subversion server to control access. I executed the server by this command: /usr/bin/svnserve --daemon --root=/var/svn --config-file=/var/svn/config/svnserve.conf As long as file /var/svn/config/svnserve.conf contains the original line: # anon-access = read this command works: svn info svn://localhost/sample Of COURSE I don't want random hackers to have read access to my source code ! As soon as that line is changed to anon-access = none the error message comes back: svn: No access allowed to this repository (By the way, I originally changed the # to a space and got an error on that line. Apparently the keyword MUST start in the first column.) I have added this line to 'passwd' - andy = canfield I have added these lines to 'authz' - [/sample] andy = rw The documentation for 'svn' says that if you don't give a user name and password you will be prompted for them. I have never under an circumstances been prompted. Even this command fails with the same error message: svn info --username=andy --password=canfield svn://localhost/sample Did you specify in svnserve.conf where your passwd authz files are located?
Re: Subversion: Access control management
On Sun, Jul 17, 2011 at 02:07, Andy Canfield andy.canfi...@pimco.mobi wrote: The file /var/svn/sample/README.txt says This is a Subversion repository; use the 'svnadmin' tool to examine it. Do not add, delete, or modify files here unless you know how to avoid corrupting the repository. but as far as I know there are no svnadmin tools to control access to the repository; the only way to control access to the repository is to manually edit the files in the 'conf' subdirectory, which the README.txt file tells you not to do. Your svnserve config file can be located anywhere svnserve has read permission on. Use the --config-file option to specify the full path. $REPOS/conf is merely the default location, and it's implied that a configuration should be editable as needed.
Re: Subversion access control
I don't know your needs, but have you considered using svn+ssh instead? This transfers authentication over to ssh, which simplifies things quite a bit. Since all it is doing it making a tunnel and then calling svnserve as the user logging in, you can still retain user based permissions. Matt Matthew Beals Michigan Technological University Department of Atmospheric Sciences 1400 Townsend Drive B019a Fisher Hall Houghton, MI 49931 mjbe...@mtu.edu - Original Message - From: Andy Canfield andy.canfi...@pimco.mobi To: users@subversion.apache.org Sent: Sunday, July 17, 2011 2:06:21 AM GMT -05:00 US/Canada Eastern Subject: Subversion access control We are running svnserve on a Mac OS X. I can not get the subversion server to control access. I executed the server by this command: /usr/bin/svnserve --daemon --root=/var/svn --config-file=/var/svn/config/svnserve.conf As long as file /var/svn/config/svnserve.conf contains the original line: # anon-access = read this command works: svn info svn://localhost/sample Of COURSE I don't want random hackers to have read access to my source code ! As soon as that line is changed to anon-access = none the error message comes back: svn: No access allowed to this repository (By the way, I originally changed the # to a space and got an error on that line. Apparently the keyword MUST start in the first column.) I have added this line to 'passwd' - andy = canfield I have added these lines to 'authz' - [/sample] andy = rw The documentation for 'svn' says that if you don't give a user name and password you will be prompted for them. I have never under an circumstances been prompted. Even this command fails with the same error message: svn info --username=andy --password=canfield svn://localhost/sample