How to allow user r/w access to certain sub-folder but not giving access to the parent folder?

3
votes

I've setup a SVN repository served with Apache DAV and LDAP. Everything works smoothly when I access the respository with a user that has read/write permissions for the whole repository.

The repository has many projects and looks like this:

repo_src
 \a
 \b
 \c
 \d
 .. etc..

I need to give a certain user "A" acces to a certain subdirectory "a" but not to its parent directory nor to its siblings (b, c, d, etc.)

I read the book "Version Control with Subversion" (http://svnbook.red-bean.com/en/1.6/svn-book.html#svn.serverconfig.pathbasedauthz) about path-based authorization. I did exactly what is specified there: I edited the file svn.authz with something like this:

[src_repo:/a]
A = rw

[src_repo:/]
root = rw

In Apache, the svn config file looks like this:

<Location /svn>
DAV svn

SVNParentPath /data/repos/
AuthName "Zentyal LDAP user required"
AuthType Basic
AuthBasicProvider ldap file
AuthBasicAuthoritative On
AuthzLDAPAuthoritative off

AuthLDAPURL ....
AuthLDAPBindDN ....
AuthLDAPBindPassword ...
AuthUserFile /dev/null
uthzSVNAccessFile /etc/apache2/svn.authz

require valid-user

</Location>

When I access to the subdirectory src_repo/a though the WEB interface (http://host/svn/ src_repo/a) as user A, I can read the contents of the directory and its files. But when I try to browse the directory http://host/svn/src_repo/a using TortoiseSVN or checkout the contents using "svn checkout http://host/svn/src_repo/a" I get this message:

svn: E175002: Server sent unexpected return value (405 Method Not Allowed) in response to PROPFIND request for '/'

Obviously TortoiseSVN and the svn client are trying to access '/' (which is not intended).

How can I setup the svn server to allow only subdirectory access? Why the WEB access differs from the command line or TotoiseSVN access?

2
svnpermissionsapache2
do you need to block read access on the root? If not, you can add: [/] * = rMichael
Since read access is recursive, if I add root read access I need to explicitly deny access to every subdirectory other than "\a". This is error prone and against best security practices, since every new project added will require a change in svn.authz.SDL

2 Answers

3
votes

Please, re-read book: you overlook and miss some obvious things in authz-file specification

Short answer using my repo collection and it's authz-file as example

[/]
*=r

[Elgg-Russian:/]
@Coders=rw

[Elgg-TranslationRU:/]
@Translators=rw

[Hello:/]
lazybadger=rw

[Hello:/trunk]
lukoie=rw

[groups]
Coders=irrelevant,to,question
Translators=irrelevant,to,question
  • I have root of repo-collection defined in separate section (as root)
  • I use shorthand "any user" - *
  • I don't use shorthand "no access", but it exist as empty string: *= in any section means NO ACCESS
  • I have three repositories for 3 projects, not 1 shared repo for 3 projects, but even in single repo case (due to SVNParentPath) I'll start from / section
0
votes

It seems that this was a temporary problem with the svn client cache. Today, the same configuration worked. I would really love to known what was wrong before, but there is no way to known for sure.