Why does svn authz need read access by default?

Question

I need to give read/write access for a user to an exactly one repository.

Why this doesn't work?

[groups]
dev = dvolosnykh,sam

[/ukk]
ukk = rw

[/]
@dev = rw

Why should I add this?

[/]
@dev = rw
* = r # read access for everyone. Why?

I'm using dav_svn, apache2, Linux Ubuntu server 11.04

My dav_svn.conf:

<Location /svn>

  DAV svn

  SVNParentPath /var/svn
  SVNListParentPath On

  AuthType Basic
  AuthName "Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd
  AuthzSVNAccessFile /etc/apache2/dav_svn.authz

  Require valid-user

</Location>

I had a similar problem. Without `* = r` on the root I was getting a forbidden without any credential prompt. My issue was due to the fact that the `Require valid-user` was inside a `LimitExcept` tag. I think that the reason of the failure was: since no "valid user" is required, there is nothing to authenticate => forbidden ... unless everybody is authorized by the `* = r`. I spent many hours on that problem. Can’t post an answer though, you don’t have the "LimitExcept" in your snippet. — boumbh, Aug 22 '13 at 20:27

score 1 · Answer 1 · edited Nov 22 '16 at 22:15

1

By default, nobody has any access to the repository at all. That means that you'll probably want to give at least read permission to all users at the root of the repository. You can do this by using the asterisk variable (*), which means “all users”:

[/]
* = r

This is a common setup; notice that no repository name is mentioned in the section name. This makes all repositories world-readable to all users. Once all users have read access to the repositories, you can give explicit rw permission to certain users on specific subdirectories within specific repositories.

edited Nov 22 '16 at 22:15

Thomas Weller

55,411
20
125
222

answered Oct 22 '12 at 07:23

sareeshmnair

441
1
6
18

Doing that solved the problem, but now everybody in the Internet can browse my repositories. Bad advice... – Thomas Weller Nov 22 '16 at 22:15

score 0 · Answer 2 · answered Oct 19 '12 at 20:39

Well, you can (and really have) to have for your case perfectly valid dav_svn.authz file

[groups]
dev = dvolosnykh,sam

[/ukk]
@dev = rw

[/]
* =

Re-read authz-file format^ section-name is path, left side of access operand is object (user or group), right side is access-type, there empty is NONE

score 0 · Answer 3 · answered Mar 28 '13 at 22:19

0

You should confiure like this here below :

[<repo_name>:<path-in-repo>]

Example :

[osirisProject:/]

@grp_W = rw

answered Mar 28 '13 at 22:19

skulled

1,689
1
13
9

score 0 · Answer 4 · answered Feb 22 '15 at 20:49

0

Check conf/svnserve.conf for the lines

# anon-access = read
# auth-access = write

These are the defaults, for anonymous and authenticated users, but you can uncomment and change them to read, write, or none.

answered Feb 22 '15 at 20:49

Quip11

194
1
7

Why does svn authz need read access by default?

4 Answers4