How Do I Restrict Repository Access via WebSVN?
- by kaybenleroll
I have multiple subversion repositories which are served up through Apache 2.2 and WebDAV. They are all located in a central place, and I used this debian-administration.org article as the basis (I dropped the use of the database authentication for a simple htpasswd file though).
Since then, I have also started using WebSVN. My issue is that not all users on the system should be able to access the different repositories, and the default setup of WebSVN is to allow anyone who can authenticate.
According to the WebSVN documentation, the best way around this is to use subversion's path access system, so I looked to create this, using the AuthzSVNAccessFile directive.
When I do this though, I keep getting "403 Forbidden" messages.
My files look like the following:
I have default policy settings in a file:
<Location /svn/>
DAV svn
SVNParentPath /var/lib/svn/repository
Order deny,allow
Deny from all
</Location>
Each repository gets a policy file like below:
<Location /svn/sysadmin/>
Include /var/lib/svn/conf/default_auth.conf
AuthName "Repository for sysadmin"
require user joebloggs jimsmith mickmurphy
</Location>
The default_auth.conf file contains this:
SVNParentPath /var/lib/svn/repository
AuthType basic
AuthUserFile /var/lib/svn/conf/.dav_svn.passwd
AuthzSVNAccessFile /var/lib/svn/conf/svnaccess.conf
I am not fully sure why I need the second SVNParentPath in default_auth.conf, but I just added that today as I was getting error messages as a result of adding the AuthzSVNAccessFile directive.
With a totally permissive access file
[/]
joebloggs = rw
the system worked fine (and was essentially unchanged), but as I soon as I start trying to add any kind of restrictions such as
[sysadmin:/]
joebloggs = rw
instead, I get the 'Permission denied' errors again. The log file entries are:
[Thu May 28 10:40:17 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET websvn:/
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'joebloggs' GET svn:/sysadmin
What do I need to do to get this to work? Have configured apache wrong, or is my understanding of the svnaccess.conf file incorrect?
If I am going about this the wrong way, I have no particular attachment to my overall approach, so feel free to offer alternatives as well.
UPDATE (20090528-1600):
I attempted to implement this answer, but I still cannot get it to work properly.
I know most of the configuration is correct, as I have added
[/]
joebloggs = rw
at the start and 'joebloggs' then has all the correct access.
When I try to go repository-specific though, doing something like
[/]
joebloggs = rw
[sysadmin:/]
mickmurphy = rw
then I got a permission denied error for mickmurphy (joebloggs still works), with an error similar to what I already had previously
[Thu May 28 10:40:20 2009] [error] [client 89.100.219.180] Access denied: 'mickmurphy' GET svn:/sysadmin
Also, I forgot to explain previously that all my repositories are underneath
/var/lib/svn/repository
UPDATE (20090529-1245):
Still no luck getting this to work, but all the signs seem to be pointing to the issue being with path-access control in subversion not working properly. My assumption is that I have not conf
