Re: restricting sub-directory permissions
Hi Jon, The link you sent was helpful and the final workaround mentioned in the article seems to work, except one thing... There seems to be a security hole, which is that web-browsing of the restricted sub-directory is still possible using the anonymous-open URL. Thus, the solution does not seem to be feasible. I'll followup by commenting directly on the authors article, but if anyone has any other suggestions, it would be greatly appreciated. Thanks, On Sun, Dec 20, 2009 at 10:36 PM, Gabriel Ricardo gabriel.rica...@gmail.com wrote: Thanks for all the responses. I tried all of the suggestions, but unfortunately none of them worked. I also downloaded and installed subversion 1.6.5, along with apache 2.2.14 to see if maybe I needed more recent versions. I still have the same strange behavior, where either the sub-directory appears to users as if it does not exist, or all users can access it. Very frustrating. Seems like this is an area of subversion functionality that would greatly benefit from some more documentation, or some subversion developers troubleshooting why this breaks down for so many users. On Thu, Dec 17, 2009 at 3:08 AM, Jon Foster jon.fos...@cabot.co.uk wrote: Hi, Gabriel Ricardo wrote: I cannot figure out how to restrict permissions on a sub-directory. What I want is to have anonymous read/write access to everything except a sub-directory, where only two users have read/write and everyone else has no access (read or write). I've done a lot of This looks relevant: http://blogs.open.collab.net/svn/2007/03/authz_and_anon_.html Since anonymous users can checkout the tree, Apache never bothers to query you for authentication credentials. And you can't force Subversion to transmit authentication credentials when Apache hasn't asked for them. There are workarounds documented in the blog post. Kind regards, Jon ** This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cabot Communications Ltd. If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone. Cabot Communications Limited Verona House, Filwood Road, Bristol BS16 3RY, UK +44 (0) 1179584232 Co. Registered in England number 02817269 Please contact the sender if you believe you have received this email in error. ** __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
restricting sub-directory permissions
I cannot figure out how to restrict permissions on a sub-directory. What I want is to have anonymous read/write access to everything except a sub-directory, where only two users have read/write and everyone else has no access (read or write). I've done a lot of reading of the manual and googling the users list but can't find anything that solves my problem. Much appreciated if someone can point out my mistake. I'm using Redhat 5.2, which comes with subversion 1.4.2 (r22196). and apache 2.2.3 I have one repository at /usr/local/vn7/repos The relevant parts of my httpd.conf looks like this # SVN setup Location /svn DAV svn SVNPath /usr/local/vn7/repos # our access control policy AuthzSVNAccessFile /usr/local/vn7/etc/svn_auth_paths # try anonymous access first, resort to real # authentication if necessary. Satisfy Any Require valid-user # how to authenticate a user AuthType Basic AuthName Subversion repository AuthUserFile /usr/local/vn7/etc/svn_auth_users /Location My AuthUserFile looks like this: [/] * = rw [/Delta/trunk/qsrc/strategies] mchen = rw gricardo = rw * = I want to restrict the /Delta/trunk/qsrc/strategies directory to only have the two users mentioned in the file to access it. What happens is that when I update (svn update) from the Delta/trunk/qsrc directory of a working copy as user gricardo (or any other user), I do not get the updates for the strategies directory. I don't get any prompt asking for password, or any permission error messages, it just does a normal update but doesn't seem to know anything about the sub-directory of interest. I don't get any errors in the httpd log files. The httpd access_log has this 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] PROPFIND /svn/Delta/trunk/qsrc HTTP/1.1 207 698 - SVN/1.4.2 (r22196) neon/0.25.5 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] PROPFIND /svn/!svn/vcc/default HTTP/1.1 207 390 - SVN/1.4.2 (r22196) neon/0.25.5 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] PROPFIND /svn/!svn/bln/376 HTTP/1.1 207 445 - SVN/1.4.2 (r22196) neon/0.25.5 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] PROPFIND /svn/Delta/trunk/qsrc HTTP/1.1 207 698 - SVN/1.4.2 (r22196) neon/0.25.5 10.10.10.220 - - [16/Dec/2009:11:12:50 -0800] REPORT /svn/!svn/vcc/default HTTP/1.1 200 4247 - SVN/1.4.2 (r22196) neon/0.25.5 The weird thing is if I change the path in the AuthUserFile to this (add a forward slash at the end of the path): [/Delta/trunk/qsrc/strategies/] ...then I can update and get the directory and changes under it, but as ANY user. It does not restrict access. I've tried re-ordering the user/anonymous permissions lines, and I just cannot get the behavior I want. I can get other types of restricted asses to work. For example, I can restrict the entire repo to only have user gricardo = rw. This works, and it prompts user gricardo for a password and then allows updates/commits, etc Please help. Thanks, -Gabriel
Re: restricting sub-directory permissions
Greetings, Gabriel Ricardo! I cannot figure out how to restrict permissions on a sub-directory. What I want is to have anonymous read/write access to everything except a sub-directory, where only two users have read/write and everyone else has no access (read or write). I've done a lot of reading of the manual and googling the users list but can't find anything that solves my problem. Much appreciated if someone can point out my mistake. I'm using Redhat 5.2, which comes with subversion 1.4.2 (r22196). and apache 2.2.3 I have one repository at /usr/local/vn7/repos The relevant parts of my httpd.conf looks like this # SVN setup Location /svn DAV svn SVNPath /usr/local/vn7/repos # our access control policy AuthzSVNAccessFile /usr/local/vn7/etc/svn_auth_paths # try anonymous access first, resort to real # authentication if necessary. Satisfy Any Require valid-user # how to authenticate a user AuthType Basic AuthName Subversion repository AuthUserFile /usr/local/vn7/etc/svn_auth_users /Location My AuthUserFile looks like this: [/] * = rw [/Delta/trunk/qsrc/strategies] mchen = rw gricardo = rw * = Try [/Delta/trunk/qsrc/strategies] * = mchen = rw gricardo = rw or make a group and tell this directory to [/Delta/trunk/qsrc/strategies] ~...@group = @group = rw -- WBR, Andrey Repin (anrdae...@freemail.ru) 17.12.2009, 4:14 Sorry for my terrible english...
