On 07/29/2011 02:10 PM, Cooke, Mark wrote:
-----Original Message-----
From: Andy Canfield [mailto:andy.canfi...@pimco.mobi]
Sent: 29 July 2011 02:27
To: Geoff Hoffman
Cc: Nico Kadel-Garcia; users@subversion.apache.org
Subject: Re: disable security hole in svn+ssh?
<snip>
Apparently, regardless of the protocol, the Subversion
library code always checks $SVNParentPath/$Repository/conf/*
and obeys svnserve.conf and authz. So I need to learn to use
that effectively.
<snip>
I am fairly certain that you are wrong about this, only svnserve looks
at the svnserve.conf and I believe that you can safely remove this file
if you do not use svnserve. In fact the first lines of the default file
are:
### This file controls the configuration of the svnserve daemon, if you
### use it to allow access to this repository. (If you only allow
### access through http: and/or file: URLs, then this file is
### irrelevant.)
Apache httpd access would not use it at all and will only apply authz if
you use the AuthzSVNAccessFile directive...
~ mark c
WHOA! Things are getting re-arranged in my mind.
Now I think that svnserve has no global authz file at all, and only
relies on the individual authz file in the conf subdirectory in each
repository, whereas mod_dav_svn relies on a global authz file identified
by the AuthzSVNAccessFile in dav_svn.conf. Does mod_dav_svn check the
individual authz file in the directory, also? Or does it rely solely on
the global authz file? Is this true?
My current create.php script replaces
$SVNParentPath/REPOSITORY/conf/authz with a symbolic link to
$SVNParentPath/conf/authz (which is where my AuthzSVNAccessFile points).
This gives the same authorizations across the entire repository collection.
