We are using a berkeley-db for authorisation of svn-access.
We have it configured like that:
<Location /svn>
AuthType basic
AuthName "svn Authentication"
AuthBasicProvider dbm
AuthDBMUserFile /****/userDatabase.db
AuthDBMType db
AuthDBMGroupFile /****/userDatabase.db
AuthzDBMType db
SSLRequireSSL
</Location>
Until here everything works fine and people gain access according to their respective groups. No I wanted / need to add some specific users to gain (read-only) access to one repository without changing their groups. I tried the following
<Location /svn/administration>
DAV svn
SVNPath /data/svn/administration
SVNPathAuthz off
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group svn-admin-readwrite
</LimitExcept>
<Limit GET PROPFIND OPTIONS REPORT>
Require group svn-admin-read
Require user testUser testUser2
</Limit>
</Location>
The modules 'authn_dbm' and 'authz_user' are enabled. Anything (obvious) I am missing here? Any help is appreciated!
Anything (obvious) I am missing here?
Reading (and understanding) some parts of SVN Book, at least "Per-directory access control" (maybe full chapter "httpd, the Apache HTTP Server") and "Path-Based Authorization"
I see at least two weakness in current config
Without DAV svn+SVNParentPath in <Location /svn> container you must to have for N repositories N+1 Location containers and add|remove location for every added|removed repository. Subversion-way is to have single location for parent of repository-dirs
For example, if you know you will be creating multiple Subversion repositories in a directory /var/svn that would be accessed via URLs such as http://my.server.com/svn/repos1, http://my.server.com/svn/repos2, and so on, you could use the httpd.conf configuration syntax in the following example:
<Location /svn>
DAV svn
# Automatically map any "/svn/foo" URL to repository /var/svn/foo
SVNParentPath /var/svn
</Location>
Using this syntax, Apache will delegate the handling of all URLs whose path portions begin with /svn/ to the Subversion DAV provider, which will then assume that any items in the directory specified by the SVNParentPath directive are actually Subversion repositories. This is a particularly convenient syntax in that, unlike the use of the SVNPath directive, you don't have to restart Apache to add or remove hosted repositories.
Path-based ACLs for Subversion in Apache implemented (and used in 99% cases) with authz_svn_module and AuthzSVNAccessFile, in which user's and group's access rights (for any repository in tree or part of repo-tree) defined... and also group's membership, which makes AuthDBMGroupFile obsoleted (and Location without LimitExcept & Limit - more compact and readable)
Related
I have created SVN host using:
<Location /svn>
DAV svn
SVNParentPath /home/xxx/xxx/xxx/xxx/Main_Folder/company-1
AuthType Basic
SVNListParentPath On
AuthName "Test"
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
</Location>`
Although I have specified user privileges in svnserve.conf, it does not seem to "take it" because I can access the repository (see below) without any prompt for user/password.
Can you please point what am I doing wrong?
Thanks!
Read the docs, it seems that you use a wrong configuration file.
Configuration settings in the file svnserve.conf do not have any effect in this particular case. Your server runs Apache and Apache does not process svnserve.conf. This configuration file is used by svnserve custom server only.
I have an Apache server with a Document Root pointing to a location on Linux file system. The directory structure is read-only right now, but I need to provide a way for specific users to either directly delete files or mark files to be deleted (where some automated process can run after words and deleted the files that have been marked as so).
The users don't have ssh access to the box and I need them to be able to do this through the web directory listing.
I should mention all this is happening behind a firewall, so disregard any security risks in your response.
What you're really asking is either:
some file-manager web-app
WebDAV
For filemanager there are myriads of alternatives (for example: eXplorer, phpFileManager
For WebDAV - you need to enable DAV module :
DavLockDB /usr/local/apache2/var/DavLock
<Location /foo>
Order Allow,Deny
Allow from all
Dav On
AuthType Basic
AuthName DAV
AuthUserFile user.passwd
<LimitExcept GET OPTIONS>
Require user admin
</LimitExcept>
</Location>
then use webdav software (Windows calls it web folders AFAIR, Mac and Linux have decent native support as well).
I know there are other questions that look the same, but I wasn't able to find anything useful for my exact case.
My server's URL is: http://servername.domain.com
My server has ZPanel installed, so the path to this in the server is:
/var/zpanel/hostdata/username/public_html/servername_domain_com/
I created a subfolder "svn", set up SVN to use that folder and created repos inside it, changed the owner etc. Surfing to it works, requires login and then you can see "Revision 0". But when trying to check out or do anything, it will give the error from the title.
I installed SVN and put this as the config.
< Location /svn>
DAV svn
SVNParentPath /var/zpanel/hostdata/username/public_html/servername_domain_com/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile /etc/svn-auth-users
Require valid-user
< / Location>
Do you have any idea why it isn't working? I didn't change the virtualhosts file, it simply contains the default link for the servername.domain.com.
Thanks!
If /var/zpanel/hostdata/username/public_html/servername_domain_com/ is your DocumentRoot (i.e. /svn is physical subdirectory), you have misconfiguration from Apache's side:
Single path can not be physical directory and logical path, defined as Location, at the same time
You must to move SVNParentPath outside web-space
I am trying to set up an SVN server on a Linux server, but I am facing the issue in setting up the server:
Below is the configuration I did:
<Location /svn>
DAV svn
SVNParentPath /home/subver/public_html/svn
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile /etc/svn-auth-users
Require valid-user
</Location>
When I try to checkout from my local machine I am getting this error:
Redirect cycle detected for URL 'http:///svn'
Never place repositories physically under ordinary web-root - it's extremely bad and insecure and error-full idea
SVNParentPath /home/subver/public_html/svn + <Location /svn> is your problem. If public_html is web-root of "just Apache" (and it seems so) you have real subdirectory /svn, which you try to redefine with "virtual" Location under the same path and get permanent redirect between these two locations: real and virtual, as expected by any good Apache-admin
Move repositories outside web-space (YOU MUST DO IT), change SVNParentPath accordingly to new location.
Lame and lazy solution, source of future big headache - use another path, than /svn, for Location container
I am setting up SVN on a Red Hat Linux machine. My scenario is that I have two projects in the same directory:
/var/www/svn/proj1
/var/www/svn/proj2
My subversion.conf has the following configurations:
<Location /svn/proj1>
DAV svn
SVNPath /var/www/svn/proj1
AuthzSVNAccessFile /etc/svn_proj1-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
<Location /svn/proj2/>
DAV svn
SVNParentPath /var/www/svn/proj2
SVNListParentPath on
AuthzSVNAccessFile /etc/svn_proj2-acl-conf
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
Require valid-user
</Location>
For project1 my URL http://www.example.com/svn/proj1 works pretty good, but for project2 I need to add trailing slash in the end of URL, http://www.example.com/svn/proj2/ or else it doesn't return with a user/password window.
If I remove the trailing slash from the location directive,
<Location /svn/proj2>
then it starts giving a 403 Forbidden error, no matter if I use a slash or not in the browser.
I am using it with TortoiseSVN, but project2 isn't working at all.
What should I look at in configurations?
Confused. Confused. Confused...
But, I'm easily confused...
You have two projects. The first one you use:
SVNPath /var/www/svn/proj1
and the second you use:
SVNParentPath /var/www/svn/proj2
Why is one SVNPath and the other SVNParentPath? There's a difference. You specify SVNPath when you refer to a particular repository. You use SVNParentPath when you refer to a directory that contains multiple repositories.
So, exactly what is your setup? I have a feeling that they both should be SVNPath.
By the way, I notice you have the same user list, but separate AuthzSVNAccessFile access files. Are you merely stopping people from committing, or are you preventing people from reading particular files and directories?
Normal practice is to allow users to see all files, but to prevent commit access. In that case, you may want to do that outside of Apache httpd, using my pre-commit hook. This allows you to do two things:
Turn off directory checking access which speeds up Subversion.
Change commit permissions without restarting Apache httpd.
You can then configure both directories in a single configuration:
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType Basic
AuthName "Subversion repos"
AuthUserFile /etc/svn-auth-conf
SVNPathAuthz off
Require valid-user
</Location>
Of course, if you're using AuthzPath to prevent read access, you have to use the AuthzSVNAccessFile parameter. But, it makes things more complex, and it slows you down. I usually recommend against it unless users aren't suppose to be able to peek at each other repos (which is quite rare).
And, one more thing... Do your users have LDAP or Windows Active Directory accounts? If so, you can use that to determine Subversion repository access:
LoadModule authnz_ldap_module modules/authnz_ldap.so
<Location /svn>
DAV svn
SVNParentPath /var/www/svn
SVNListParentPath on
AuthType basic
AuthName "Subversion Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://windomain.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=svn_user,OU=Users,DC=mycorp,DC=com"
AuthLDAPBindPassword "swordfish"
Require ldap-group CN=developers,CN=Users,DC=mycorp,DC=com
</Location>
This way, if a user has a Windows account (or is in your LDAP database), and that user is in the developers group, they automatically have access to your Subversion repositories (note the SVNParentPath for both repos and any future ones). This way, you're not constantly adding and subtracting users out of your SVN AUthorization file. Plus, you're not constantly retrieving forgotten passwords.
Now, that's all your Windows administrator's responsibility. It's magic. I made your task their job. User doesn't have Subversion access? No longer your problem. More time to play Angry Birds.
One more tiny thing: I have a feeling you don't want to place your repository under /var/www for the simple reason that might be your document root. If you're not careful, you might be granting direct access to your Subversion repository directory.
You're better off putting them elsewhere and changing the SVNParentPath.
The Location and SVNParentPath directive should have the same trailing slash rule: either with or without.
So it should be:
<Location /svn/proj2/> <--- Here trailing slash (or not)
[..]
SVNPath /var/www/svn/proj2/ <--- Here same like Location
[...]
</Location>