Issue(?) with mod_dav_svn and requiring access to $reporoot

Mon, 21 May 2012 14:00:04 -0700 

So, 

Earlier today I was asked to open a few children from a repo that is 
essentially close by default. 
Some background information: 

This setup allows commits only via an https vhost, ad this is working 
perfectly.  The http vhost is configured to not allow read-only access to the 
entire repo (as is the case with the main ASF repo).
We are running apache httpd 2.2, and subversion 1.7 - from ubuntu apt repos. 

REPOROOT = /x1/source.caret.cam.ac.uk/repos/svn
WEBROOT = http://source.caret.cam.ac.uk/svn/ 
PUBLICCHILD = http://source.caret.cam.ac.uk/svn/projects/talks.cam/


We do not want to make the webroot publicly readable, but we did want to make 
publicchild publicly readable.  The only way I could make this happen, was to 
use the config below.  Basically we had to allow "GET OPTIONS PROPFIND REPORT" 
for the WEBROOT.  You can see, that we then do go on to explicitly deny all but 
a couple of options to prevent listing the entire repo. 

With this it seems that dav_svn needs access to the root of the repo to be able 
to list contents of child folders.  

If we take away "GET REPORT" from WEBROOT, and then goto PUBLIC child it will 
display an emtpy folder.  But you can enter the name of a subfolder in the 
browser, and that will also open, again with no contents. 


  ## For child objects to be able to be publicly readable, the root also needs 
to be readable.  
  ## annoying but true.
  <Location /svn>
    DAV svn
    SVNPath /x1/source.caret.cam.ac.uk/repos/svn
    <LimitExcept GET OPTIONS PROPFIND REPORT>
      Order allow,deny
      Deny from all
    </LimitExcept>
    ErrorDocument 403 /forbidden.html
  </Location>

  ## This block will make sure that the contents of these directories cannot be 
enumerated publicly.
  ## Explicitly add directories/locations below to match against and allow 
access.
  <LocationMatch "^/svn/(attic|general|projects|users)">
    <LimitExcept PROPFIND OPTIONS>
      Order allow,deny
      deny from all
    </LimitExcept>
    ErrorDocument 403 /forbidden.html
  </LocationMatch>

  <Location /svn/projects/talks.cam>
    <LimitExcept OPTIONS PROPFIND GET REPORT>
       Order deny,allow
       deny from all
    </LimitExcept>
    Satisfy Any
    Allow from all
    ErrorDocument 403 /forbidden.html
  </Location>





-- 

Cheers,
Tony

---------------------------------------------------------------
Tony Stevenson

t...@pc-tony.com // pct...@apache.org // t...@caret.cam.ac.uk
GPG: 1024D/51047D66
http://blog.pc-tony.com
---------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply via email to