0

I'm trying to configure permissions for an SVN repository accessed through Apache 2. What I want is to let anyone access the root directory, while restricting to authenticated users a child directory. Example:

/demo /demo/project1 /demo/project1/sensitive-data # This path should require user authentication. /demo/project2

At first, I thought this was as simple as:

<Location /demo> DAV svn SVNPath /home/svn/demo AuthType Basic AuthName demo AuthUserFile /etc/subversion/passwd <LimitExcept GET PROPFIND OPTIONS REPORT> Require valid-user </LimitExcept> </Location> <Location /demo/project1/sensitive-data> DAV svn Require valid-user </Location>

When used through HTTP (for example with CURL), Apache conforms to the configuration: I can access:

and I get, as expected, a HTTP 401 Unauthorized when trying to retrieve http://example.com/demo/project1/sensitive-data.

On the other hand, doing:

  • svn checkout http://example.com/demo/ . or:
  • svn checkout http://example.com/demo/project1/ .

retrieves the whole directory tree, including demo/project1/sensitive-data.

At least, svn checkout http://example.com/demo/project1/sensitive-data/ . requests for a password.

How should I configure the permissions to restrict the access to sensitive-data directory when doing svn checkout http://example.com/demo/ .?

Improve this question

1 Answer 1

Reset to default
1

The <Location /demo/project1/sensitive-data> block is irrelevant when doing a checkout: it is used only when accessing http://example.com/demo/project1/sensitive-data directly, which is the reason why HTTP requests result in HTTP 401 Unauthorized and a checkout of this particular directory requires authentication.

The proper way to configure path-based authorization is explained in Subversion documentation:

  1. <Location /demo> points to an access file:

    <Location /demo> ... AuthzSVNAccessFile /etc/subversion/access.conf ... </Location>

  2. The access file defines who can access the specific files and directories. Basic example:

    [/] * = r # Everyone should be able to access the repository. [/demo/project1/sensitive-data] # Note that there is no trailing slash. * = # Nobody should access the sensitive directory.
Improve this answer
2
  • Can this be used similarly in reverse? I want to give guest access to a sub-directory only, and disallow "guest" to browse the rest of the repository. Or maybe the easiest way would be to just create a separate repository? Commented Mar 10, 2015 at 15:38
  • @Zack: I don't have a test environment right now, but I believe that yes, you can do that. Also relevant: What are the permissions to set on SVN root? Commented Mar 10, 2015 at 15:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.