When I create svn proj on a server, I modify authz and svnserve.conf to control the access of other users, but after I tried many times and found: On the same server, other user can use 'svn co file:///path/to/my/proj' to checkout the svn proj without passwd even I config all users have no authority to access my svn proj! Of cause, if other users on the same server using 'svn co svn://' checkout my proj, the passwd and authority are needed.
Have I missed something when using SVN? Thanks!
If users have filesystem-level access to your repository database, they can check out via file:/// and when using that protocol, there is no other authentication and no path-based authorization.
Even worse, if users have enough permission at the filesystem level, they can corrupt your entire repository by editing/moving/deleting files.
You need to lock down the filesystem permissions on the directory hosting your Subversion repositories such that only administrators and the svnserve process have permission to access it.
file://access. Choosing a Server Configuration – crashmstr