HomeBlogschris's blog

Path-based access control issues in Subversion - a tip

Wed, 2009-11-25 13:18 — chris

I'd been accessing Subversion fine by both HTTP (apache2) and SSH until today, when I had a need to restrict a user to a specific directory. Following the config at http://svnbook.red-bean.com/en/1.4/svn.serverconfig.pathbasedauthz.html I got it set up, but I experienced a strange issue where requests for the specific directory were rejected with a 403 access denied to the OPTIONS request.

If I used a path directive like [reponame:/] it worked as expected. If I used a path directive like [/] it worked as expected.

But if I used a path directive like [reponame:/path/to/dir/] then it returns a 403 against the OPTIONS request when auth details are provided.

Turned out that the issue was the trailing directory slash - this isn't mentioned in the documentation linked above, but if the directory path has a trailing slash, Subversion will deny all access. So, rather than [reponame:/path/to/dir/], use [reponame:/path/to/dir]

/home/www-home/svn.example.org/control read -

[groups]
example = chris
client = sally, fred
[example:/]
chris = rw
[client:/sites/example.com/]
sally = rw
[client:/]
fred = rw

Sally will not have access to http://svn.example.org/client/sites/example.com/ but Fred will.

Apache config read -

<VirtualHost *>
	ServerAdmin info@svn.example.org
	ServerName svn.example.org
	<Location /repos>
		Options Indexes FollowSymLinks MultiViews
		DAV svn
		SVNParentPath /home/SVN
		SVNListParentPath on
		SVNIndexXSLT "http://svn.example.org/svnindex.xsl"
		AuthzSVNAccessFile /home/www-home/svn.example.org/control
		# anonymous first
		Satisfy Any
		Require valid-user
		# authenticating them valid ones
		AuthType Basic
		AuthName "EO Subversion"
		AuthUserFile /home/www-home/svn.example.org/passwd
	</Location>
	Alias /svnindex.xsl /var/www/apache2-default/svnindex.xsl
	Alias /svnindex.css /var/www/apache2-default/svnindex.css
	ErrorLog /var/log/apache2/error.log
	CustomLog /var/log/apache2/sites/svn.log combined
        CustomLog /var/log/apache2/svn_log "%t %u %{SVN-ACTION}e" env=SVN-ACTION
	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn
	ServerSignature On
	php_value sendmail_from info@example.org
</VirtualHost>

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre> <code> <br> <h2> <h3> <h4> <h5> <h6>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.