> I have a repository that is partially mirrored, using svnsync and > mod_authz_svn [1]. I just realised that the administrator of the > mirror server can bypass the authz rules I've set up on the master > server. All he has to do is change the svn:sync-from-url property > on the mirror repository to be a file:// URL to the source > repository, rather than a http:// one. The correct file:// URL is > probably guessable.
Well, this has nothing to do with svnsync then does it? If you expose the repository file system then yes anyone can access it bypassing the server. Even with svn.exe it can be done. you should use FS/Network permission so that your repositories are only available via your server (http or svn protocols). BOb
