Hello,
I have an observation on the mod_authz_svn Module in combination with an
authorized user.
I have a configuration with an Apache 2.4, mod_lua and Subversion modules
1.9.xx. This is my repo conf:
<Location /svn/repo>
DAV svn
SVNPath "/.../repo"
LuaHookCheckUserID "/etc/apache2/lua/hook.lua" authcheck_hook
AuthzSVNAccessFile "/.../repo.access"
Require valid-user
</Location>
As you can see, the authorization is done by the Lua-script. As I understand
it, this can be used a full replacement to, for example Basic Authentication.
My simple hook.lua accepts every user and sets the user-field on the
request-object (=the user is accepted):
require 'apache2'
function authcheck_hook(r)
r.user = "myuser"
r:debug("Accepted user " .. r.user)
return apache2.OK
end
So In every case, the user gets authenticated which I can see in the log.
Next, I call the webserver with a simple curl-Command: "curl
http://localhost:4402/svn/repo";
Case 1:
- The accessfile configures my user to have access on repo-root:
[repo:/]
myuser = rw
- The curl-Command shows me a repo-root but none of the files below.
- The error_log shows, that my user got authorized on root:
[Fri Jan 19 21:20:58.735108 2018] [authz_svn:info] [pid 3465:tid
140589093869312] [client ::1:59812] Access granted: 'myuser' GET (null)
- But I'm not allowed to see a file below:
[Fri Jan 19 21:20:58.735706 2018] [authz_svn:info] [pid 3465:tid
140589093869312] [client ::1:59812] Access denied: - GET repo:/muhmiau.txt
Case 2:
- The accessfile configures everybody to have access on repo-root:
[repo:/]
* = rw
- The curl-Command shows me a repo-root and the files below.
- The error-log tells, that my user is allowed to see the root and the file:
[Fri Jan 19 21:26:03.803831 2018] [authz_svn:info] [pid 3425:tid
140589085476608] [client ::1:59814] Access granted: 'myuser' GET (null)
[Fri Jan 19 21:26:03.806508 2018] [authz_svn:info] [pid 3425:tid
140589085476608] [client ::1:59814] Access granted: 'myuser' GET
repo:/muhmiau.txt
Case 3:
- Now I have an accessfile, which allows everyone to rw, but not my user:
[repo:/]
* = rw
myuser =
- Curl shows me the full repo content
- The error_log tells, that my user is allowed to see the root and the file:
[Fri Jan 19 21:29:57.383442 2018] [authz_svn:info] [pid 3426:tid
140589085476608] [client ::1:59816] Access granted: 'myuser' GET (null)
[Fri Jan 19 21:29:57.385402 2018] [authz_svn:info] [pid 3426:tid
140589085476608] [client ::1:59816] Access granted: - GET repo:/muhmiau.txt
That raised several questions:
1. Why is my user not "known" for a special file in Case 1, when it generally
works? (Case 2)
2. Why does the restriction of a right (Case 3) does not lead to a restricted
view? As you can see in the log, the user is not known (like Case 1).
For me, especially Case 3 looks suspicious.
Any help would be appreciated.
Thanks and Kind Regards,
Stefan
