Apache + SVN + DAV + pwauth + authz = 403

Question

I maintain a group of SVN repositories behind Apache2 with mod_svn_dav, and I'm using pwauth to authenticate users (with mod_authnz_external). I have Require directives for valid-user and group svn. This has worked very well for me, but it has now become necessary to introduce more granular permissions - i.e. to restric access to certain repos only to certain users. From what I understand the best (easiest) way to accomplish this is to use the built in authz functionality, by setting AuthzSVNAccessFile to a file which lists who can access what. This is what I have set out to do. My current site config looks like this (with log config etc removed for clarity):

<VirtualHost *:81>
    <Location />
            allow from 127.0.0.1
            DAV svn
            SVNParentPath /var/svn
            SVNListParentPath On
            AuthType Basic
            AuthName "SVN repository"
            AuthBasicProvider external
            AuthExternal pwauth
            AuthzSVNAccessFile /var/svn/dav_authz
            Require valid-user
            Require group svn
    </Location>
    <IfModule mod_authnz_external.c>
            AddExternalAuth pwauth /usr/sbin/pwauth
            SetExternalAuthMethod pwauth pipe
    </IfModule>
</VirtualHost>

Side note: Yes, *:81 - I actually have this running behind nginx and svn.mydomain.com proxies through that to port 81.

This is what dav_authz looks like:

[/]
myuser = rw
* =

[RepoOne:/]
myuser = rw
* =

[RepoTwo:/]
mysuser = rw
someone = rw
* =

It is my expectation that this will give "myuser" read/write access to everything, "someone" read/write access only to RepoTwo, and everyone else politely told to f-off (even if they are valid users and in the svn group). That is not what happens. No matter what I try, I cannot get anything other than a grumpy 403 from the server. This disappears if I revert to not using AuthzSVNAccessFile, and I can log in as normally (if the user is valid and belongs to svn group) again. I have tried different orders of my directives (putting [/] last for example), different format of user names (someuser, someuser@system, someuser/system, someuser\system), removing the repo configs and just having the [/] rule, setting the [/] rule to * = rw, even emptying the file altogether, giving www-data ownership of dav_authz, etc, etc, etc - each time restarting Apache between changes - each time getting the same 403. Apache logs show myuser accessing the site, and the 403 response, error log shows nothing other than my Apache restarts.

I'm out of ideas and need help! Can you?

JS

@200: I've tried removing both Require group and Require valid-user, no dice. — John Schulze, Dec 18 '12 at 03:10

score 0 · Answer 1 · answered Nov 16 '12 at 07:22

Some notes (from Path-Based Authorization SVNBook chapter):

Restrictions are inherited from parent to child
No mentions of user means "no access"

i.e you have to add users only in roots, where you redefine access-level. This I way I'll try something like

[/]
myuser = rw

[RepoTwo:/]
someone = rw

Unrelated: I prefer for readability and manageability operate by groups inside sections of AuthzSVNAccessFile, not users, even if group at some moment is single-user

Thanks, I've tried this but it makes no difference, still getting 403 on root and repos. — John Schulze, Dec 18 '12 at 03:12

Apache + SVN + DAV + pwauth + authz = 403

1 Answers1