On 8/19/13 9:07 AM, Scott Frankel wrote: > I'm new to SVN server configuration and find myself setting up a CentOS 6.4 > server with svn version 1.6.1, following the red-bean book.
I'd strongly urge you not to use 1.6.1, see the list of applicable security issues here: http://subversion.apache.org/security/ If you're using the CentOS packages they may have patched those issues without updating the svn version number. You should check that though. If you're setting a new server I wouldn't start with 1.6.x but would go straight to 1.7.x or 1.8.x, probably 1.8.x if you can. > I'm having difficulty with authorization &/or authentication: my repo > appears to be accessible by anyone in spite of requiring "valid-user" and > specifying digest authentication. I believe this because 1) I can download a > full working copy of the repo to a 3rd-party logged into a foreign computer, > and 2) I have dozens of entries in apache's logfiles, like these from this > morning, *prior* to any known/legitimate access to my repos today: > > svn_logfile: > [19/Aug/2013:00:46:32 +0000] - checkout-or-export / r1 depth=infinity That does indeed look like access without a user. > access_log > 93.174.93.213 - - [19/Aug/2013:07:23:50 +0000] "GET > /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" > > error_log > [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not > exist: /var/www/html/MyAdmin These however do not appear to be alarming at all. Neither of them are under the /svn Location on your server where you have put the Require valid-user requirement. They appear to me to be just normal probes run by someone looking for security holes. This sort of thing is just going to be a normal part of running a server on the Internet. > <Location /svn> > DAV svn > SVNParentPath /var/svn > > # Authentication: Digest > AuthName "Subversion repository" > AuthType Digest > AuthUserFile /etc/svn-auth.htdigest > > # Authorization: Authenticated users only > Require valid-user > </Location> I'm not seeing anything wrong with this, so I'm not sure why you're having a problem. You didn't mention it but I'm wondering what version of httpd you're running, I'm assuming 2.2.x since you're using 1.6.1 on CentOS 6.4.
