On 12/01/2013 04:51 PM, olli hauer wrote: > On 2013-12-01 15:39, Peter Flynn wrote: >> I have a number of svn repositories running under Apache+subversion on >> CentOS6/64, with Submin to provide a web GUI to manage them: >> >> server.name/svn/foo >> server.name/svn/bar >> server.name/svn/blort >> etc >> >> All of them are private; all but one of them are single-user (me) so >> that I can carry on working from any of my machines in multiple >> locations. One of them is shared with colleagues on a project: they all >> have read/write privs on that repo. >> >> The URIs are not published or linked, and my colleagues are all well >> aware of the need to keep their shared URI private. But the requirement >> is that none of them must be open to casual read access via a web >> browser, in case someone happen to stumble upon or guess the URI. >> >> I am having problems getting the access privs right, as they keep >> causing "svn: E220000: Not authorized to open root of edit operation" >> during an svn up. However, in a long exchange with the very helpful >> submin support >> (https://ssl.supermind.nl/collab/projects/submin/ticket/336) we have >> failed to identify settings that work. >> >> Currently the svn/conf/authz file says >> >>> [groups] >>> dev = a,b,c,d,e,me >>> >>> [foo:/] >>> @dev = rw >>> >>> [bar:/] >>> me = rw >>> >>> [blort:/] >>> me = rw >> >> The Apache conf.d/subversion.conf says: >> >>> <Location /svn> >>> DAV svn >>> SVNParentPath /var/lib/submin/svn >>> # removed GET from LimitExcept to prevent casual browsing >>> <LimitExcept PROPFIND OPTIONS REPORT> >>> AuthType Basic >>> AuthName "Authorization Realm" >>> AuthUserFile /etc/svn.auth >>> Require valid-user >>> </LimitExcept> >>> </Location> >> >> and svn.auth specifies a username:encryptedpassword pair for each member >> of [groups] in the usual way. >> >> 1. Browsing with a web browser causes a prompt for the username/password >> as expected. >> >> 2. An svn ci operation works fine. >> >> 3. An svn up operation fails, and always causes an E220000 error. >> >> 4. Replacing the GET in the LimitExcept config allows svn up to work >> without error, but allows casual browsing of the web interface. >> >> Is there a way to prevent the casual browsing while avoiding the E220000 >> error? >> > > > You do not have AuthzSVNAccessFile $path/to/authz in your Location config.
I'm sorry, I omitted to say that the submin installation included an apache-svn.conf which is soft-linked into the httpd/conf.d directory, and that *does* include the AuthzSVNAccessFile /var/lib/submin/conf/authz line. This is the default for submin. > <IfModule mod_authn_dbd.c> > DBDriver sqlite3 > DBDParams "/var/lib/submin/conf/submin.db" > > <IfModule mod_dav_svn.c> > <Location "/svn"> > DAV svn > SVNParentPath /var/lib/submin/svn > > AuthType Basic > AuthName "Subversion repository" > > # Authentication > AuthBasicProvider dbd > AuthDBDUserPWQuery "SELECT password FROM users WHERE name=%s" > > # Authorization > AuthzSVNAccessFile /var/lib/submin/conf/authz > > Satisfy Any > Require valid-user > </Location> > </IfModule> (and mod_authn_dbd is included in httpd.conf). Is this Location conflicting with the one in subversion.conf, and which one should take precedence? ///Peter
