SVN (Subversion) Access Control with Apache and mod_authz_svn
I just wrote guide, howto install SVN (Subversion) Server on Fedora, CentOS and Red Hat (RHEL). No I decided to write more information about SVN Access Control. This guide works if you have installed Apache, Subversion (SVN) and mod_dav_svn on any Linux system, like Ubuntu, Debian, Arch, Gentoo, not only Fedora, CentOS or Red Hat (RHEL).
Setup SVN (Subversion) Access Control with Apache and mod_authz_svn
1. Change root user
su - ## OR ## sudo -i |
2. Add SVN (Subversion) users
Use following command:
## Create testuser ## htpasswd -c -m /etc/svn-auth-users testuser New password: Re-type new password: Adding password for user testuser ## Create testuser2 ## htpasswd -m /etc/svn-auth-users testuser2 New password: Re-type new password: Adding password for user testuser2 |
Note: Use exactly same file and path name as used on subversion.conf file. This example use /etc/svn-auth-users file.
3. Create SVN Access Control file
On this guide, I use following /etc/svn-access-control file.
## Open /etc/svn-access-control file with your favourite editor ## nano -w /etc/svn-access-control |
Add following type content to file:
[groups] testgroup = testuser1, testuser2 testgroup2 = testuser3, testuser4, testuser5 testgroup3 = testuser6, testuser7 [/] * = r @testgroup = rw testuser4 = rw [testrepo:/] @testgroup2 = rw testuser6 = rw [testrepo2:/trunk] @testgroup3 = rw testuser5 = rw [testrepo2:/tags] @testgroup3 = r testuser5 = rw |
4. Add AuthzSVNAccessFile to subversion server config
Previously created /etc/httpd/conf.d/subversion.conf file:
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so <Location /svn> DAV svn SVNParentPath /var/www/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile /etc/svn-auth-users Require valid-user </Location> |
Add AuthzSVNAccessFile row to config:
AuthzSVNAccessFile /etc/svn-access-control |
Finally /etc/httpd/conf.d/subversion.conf file should look something like following:
LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so <Location /svn> DAV svn SVNParentPath /var/www/svn AuthType Basic AuthName "Subversion repositories" AuthUserFile /etc/svn-auth-users AuthzSVNAccessFile /etc/svn-access-control Require valid-user </Location> |
5. Restart Apache Web Server
/etc/init.d/httpd restart ## OR ## service httpd restart |
72 Comments
Leave a Comment
Trackbacks/Pingbacks
- SVN (Subversion) Access Control with Apache and mod_authz_svn « svn - [...] Pełny artykuł na: SVN (Subversion) Access Control with Apache and mod_authz_svn [...]
- SVN (Subversion) Access Control with Apache and mod_authz_svn « apache - [...] Więcej: SVN (Subversion) Access Control with Apache and mod_authz_svn [...]
## Create testuser ##
htpasswd -m /etc/svn-auth-users testuser
New password:
Re-type new password:
Adding password for user testuser
## Create testuser2 ##
htpasswd -m /etc/svn-auth-users testuser2
New password:
Re-type new password:
Adding password for user testuser2
-cm create a new file (and delete old users!!!)
Hi Simone,
Thank you for your correction, I changed this to blog post it was totally my mistake.
Btw. first time you could use -c option, when you are really creating new file.
Absolutely! ;)
Is there a way I can put a line break at the attribuition? Something like
…
[groups]
testgroup = testuser1, testuser2, testuser2, testuser3, testuser4,
testuser5, testuser6, testuser7, testuser8, testuser9
…
I need to do this cause there’s a group with many users.
Hi Shad,
I think following syntax should work:
Please let me know do you get it working? I can’t test this right now. :)
Hi,
is there any chance to configure repository which is outside /var/www directory ? For example when i use /abc/svn istead of /var/www/svn and configure everything with this path, I’m getting the foloowing error:
“Could not open the requested SVN filesystem”
with /var/www/svn everything works fine with no errors.
Hi harti,
I just checked SVN Install guide using /some_directory/svn and it’s working normally. Are you absolutely sure you change all paths on guide?
Hi
I have configured SVN server, and set SVN Access Control permission but all SVN user accessing all repos.
Do you follow exactly all steps?
Could you post your configuration files?
groups]
Sadmin = Vijay
admin = bing, babu
developer = pranita,
mobideveloper = pradeep, king
SEO = among
designer = somanath
[/]
* = r
@sadmin = rw
@admin = rw
[Bills_Master:/Baseline]
king = rw
pranita = rw
bing =rw
[ISMS:/Testing]
@developer = rw
bing = rw
[SMS:/Development]
@developer = rw
bing = rw
[V3_Tablet:/]
pradeep = rw
[Tic_Tac_Toe:/]
bing = rw
king = rw
[Wing_Website:/]
bing = rw
[testrepo:/]
Vijay = rw
when we remove “below mentioned details” then all user getting error you have not permission
[/]
* = r
@sadmin = rw
@admin = rw
If you remove those all then, yes anyone don’t have permissions to /. Other repos permissions should still work?
But yes if you want use your original setup then you can use following syntax to disallow read (and write) permission on some project:
So if you set “empty” permission, it should disable access on some repos or alternatively you can remove just * = r, but then only sadmin and admin groups have permission to access root, if you do not allow any other permissions, but all other permission should still work on specific repositories.
Please let me know, do you get it working with this help?
Hi ,
Thank you for your correction….
Excellent to hear that you got it working! :)
Hi
I have already created SVN structure like below
mkdir -p /var/svntmp/syn-structure-template/{Testing,Baseline,Trunk,management}
and it is working…..
but Now i want add 1 another name in svn structure so plz help ……….
Hi varun,
You can do it simply with following command:
root@localhost ~]# svn mkdir http://var/www/svn/SKAI-Tata_DoCoMo/release
svn: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the –message (-m) or –file (-F) options
svn: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no ‘editor-cmd’ run-time configuration option was found
You need export editor (example vi):
Or use svn (-m) message option:
HI Varun,
Could u plz send me the correct steps to configure svn on server and client side.
Hello friends,
first of all thanks a lot to share this this configure,By use of this i configure the svnsuccessfully, iam not able to set the permission to my all projects i follow all step as it is.
after that my all user able to login in any project repo.I use this command so i think the problem due to this
chcon -R -t httpd_sys_rw_content_t /var/www/svn/testrepo
i also add this file like this and make permission like that..
[groups]
Sadmin = Vijay
admin = bing, babu
developer = pranita,
mobideveloper = pradeep, king
SEO = among
designer = somanath
[/]
* = r
@sadmin = rw
@admin = rw
[Bills_Master:/Baseline]
king = rw
pranita = rw
bing =rw
[ISMS:/Testing]
@developer = rw
bing = rw
[SMS:/Development]
@developer = rw
bing = rw
[V3_Tablet:/]
pradeep = rw
[Tic_Tac_Toe:/]
bing = rw
king = rw
[Wing_Website:/]
bing = rw
[testrepo:/]
Vijay = rw
kindly help me to solve this problem, i need the help.
Hi vijay kumar,
Please check following line on your permission file:
It add read permission to every repository for all users and groups?
Hello JR
Thanks a lot for your quick help and guidence. you are doing great man. again thank you very much.
Hello vijay,
You are welcome! Nice to hear that you got it working!
Hi
I want take Backup of SVN server, So plz Help me….
Hi,
You can use svnadmin dump command, like:
More info with following command:
Hi JR,
i want ur help for solving my problem. I installed this SVN in my CentOS 5.5 with all configuration as per given. Now i m stuck on ACL (Access Control List). i want to access the Repository from other system. i have created some users by command in /etc/svn-auth-conf file and given the permission in /etc/svn-acl-conf file.
In /etc/httpd/conf.d/subversion.conf i had given this location of Repository
DAV svn
SVNPath /var/www/svn/repos
SVNListParentPath On
AuthType Basic
AuthName “Subversion repos”
AuthUserFile /etc/svn-auth-conf
Require valid-user
now i can access the repository from another system by Tortoise SVN with specified user but problem is that the permission for only given to 1 user in svn-acl-conf file but rest of the user can also able to access without permission
and
whenever i insert
AuthzSVNAccessFile /etc/svn-acl-conf this line in the Location of Repository, while accessing from other system it shows an error while SVNcheckout.
This only error i want to resolve. i m facing this problem since 1 months. please kindly give me the solution so that i’ll go further.
Hi Vishal,
Did you still have this problem? I have missed your question totally. :/
Hi JR,
Thanks for reply. Yes i was facing that problem and it was not resolved yet. But i found another svn called UberSVN and i installed it on another system and it works excellent. No need of commands, its totally GUI based.
But still I want to solve that problem for future purpose.
Could you post full error message and content of /etc/svn-auth-conf and /etc/svn-acl-conf files? You can of course change real names if you want.
Hi JR,
Thanks for the reply. Now the condition is different. We are using UberSVN on our server. Our projects also on the same server but now through command when ever i am trying to do checkout in the empty directory it is showing “svn: E175013: Access to ‘/Test/!svn/rvr/3′ forbidden”.
There is already committed folder in Test/trunk/ folder by other user. So is there any solution for this?
One more thing is our Projects are on different drive, so on the same server can we use SVN and do commit, checkout, add, etc.?
Thanks in advance
Hi Vishal,
Have you made any changes to SVN configurations recently? Or is some update changed your configuration?
Could you also check Apache access/error logs?
If you have right permissions and correct settings for subversion, then another drive should not be problem. You can even mount your drive with bind option, if you have problems with it.
Hi JR,
Can you please help me by telling how can i get remote access in svn?when i want to access in svn server from another computer, browser show “you don’t have permission to access /svn on this server”please help me to solve this problem.
thank you.
Wardha
Hi Wardha,
Is SVN working from localhost?
Could you access directly to some repository?
Hi JR,
Thank you for replying.Yes,SVN is working from localhost. But I can’t access to the repositories.It shows the repositories but not the files inside it.
In remote browser, login page is come, but after login it show this message:
”
Forbidden
You don’t have permission to access /svn on this server.
Apache/2.2.15 (Red Hat) Server at 192.168.100.103 Port 80
”
Can you give me a solutions.
Thanks once again.
Wardha
Hi Wardha,
Did you used same username and password what you created on step 2?
Could you post your svn-access-control list content?
Hi Team,
I have configure SVN structure. from browser i am able to go into particulr directory nd cn see committed projects but from linux server not able to find that committed project
http:///svn/Repos/Development/
can u plz tell me where to find my committed projects.
HElp would be appreciated.
Hi varun kumar,
Do you have right url?
Url should be file:///svn/Repos/Development/ or http://localhost/svn/Repos/Development/ or http://hostname/svn/Repos/Development/ something like that?
Hi Team,
I want take backup of SVN server please help…. What is the Important for the backup in svn server.
Hi Varun Kumar,
First I thought I write simple answer with two or three commands, but then I decided write real and more complete guide howto backup and restore SVN repositories. :)
Hi Team,
I’m using https://localhost/svn/testrepo it is on the public IP and now i want that svn access only in local network, which port i neet to bolck for the svn
Please Help me
Hi Varun,
Do you have public web server running on same machine?
Yes i have Public web server and it is running on the same machine and now i want SVN not access by public IP and i cant remove Public IP from this System/ server, please help me.
Okay, then you can’t block port 80.
Try following /etc/httpd/conf.d/subversion.conf:
Hi
I have added below mentioned Line But it is still accessing by public IP
## Deny from all and then allow localhost or some other local network ##
Order deny,allow
Deny from all
Allow from 127.0.0.0/8
I want that svn access by local ip the LAN network not accessable by WAN network.
Hi varun,
You have to add your own network to Allow from 127.0.0.0/8 or add several IPs or networks.
And remember that you need to reload/restart your web server.
Thanx….. gr88888
Excellent to hear that you got it working!
Great guide. Thank you.
SVN works great.
A question for you, if you don’t mind:
Is there a way to allow users to change their svn passwords?
Thanks.
Hi Sky Is Falling,
You are welcome!
Good question, it’s possible, but then maybe some other authentication method might be much better than mod_authz_svn, what I use on this guide. You can check Apache HTTP Server – Authentication and Authorization modules, if you find some better method for your needs. Alternatively you can use example mod_auth_mysql or mod_auth_pgsql and create some simple web user interface to allow users change their svn passwords…
Hi Team,
my SVN server had crash but i had SVN backup.dump and again i installed svn and create 1 Repos and import backup in Repos and now user can login by URL but when he is committing project then showing error ACCESS DENIED
Please Help me.
Hi Team,
my SVN server had crash but i had SVN backup.dump and again i installed svn and create 1 Repos and import backup in Repos and now user can login by URL but when he is committing project then showing error ACCESS DENIED
Please Help me.
Hi Varun Kumar,
Could you tell more about your current setup? This sounds Access Control problem if SVN is working, but user can’t commit.
Could you post your Access Control file content? You can of course change user names if you want.
[groups]
Administrator = Varun, Vijay, Anamika, Babu
Developer = Abhishek, Sumit, satya, Pradeep, Anita, Rahul, Ankit, Vivek
Designer = Sohan, Vivek
[/]
#* = r
@Administrator = rw
@Designer =
[Repos:/]
@Developer = rw
@Designer =
Hi Team
Below mentioned Access control File.
[groups]
Administrator = Varun, Vijay, Anamika, Babu
Developer = Abhishek, Sumit, satya, Pradeep, Anita, Rahul, Ankit, Vivek
Designer = Sohan, Vivek
[/]
#* = r
@Administrator = rw
@Designer =
[Repos:/]
@Developer = rw
@Designer =
Thanks, I assume that users who have rw permission can’t commit?
Do you have SELinux enabled?
Could you also post output of following commands:
You can of course change file names and repo name.
Hi output of the given Command,
root@localhost ~]# ls -laZ /var/www/svn/Repos/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 ..
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 conf
drwxr-sr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 db
-r–r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 format
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 hooks
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 locks
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 README.txt
[root@localhost ~]# ls -laZ /var/www/svn/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 Repos
[root@localhost ~]#
(4:52 PM) vijay.k: [root@localhost ~]# grep -v “#” /etc/sysconfig/selinux
SELINUX=enforcing
SELINUXTYPE=targeted
Thanks, first set httpd_sys_rw_content_t instead of httpd_sys_content_t:
Then try commit again, is it working then? If not could you post full error message?
Hi Team,
when i commit Project in SVN reposetry then getting error: -
Cant open file ‘/var/www/svn/Repos1/dv/txn-current-lock’: Permission Denied
Please Help …
Hi Varun,
Do you have right permissions on your repo? Normally user: apache and group: apache.
Hi team,
i have used chown -R apache:apache /var/www/svn/Repos1 command but now i am getting another error:-
svn:- Server sent unexpected return value (403 Forbidden)in responce to MKACTIVITY REQUEST FOR ‘/SVN/Repos1/!svn/act/act627d94a5-1d65-42bf-b88c-b1b28ee0d0ac
Hi team,
i have used chown -R apache:apache /var/www/svn/Repos1 command but now i am getting another error:-
svn:- Server sent unexpected return value (403 Forbidden)in responce to MKACTIVITY REQUEST FOR ‘/SVN/Repos1/!svn/act/act627d94a5-1d65-42bf-b88c-b1b28ee0d0ac
Please help…..
Hi Varun,
For me this sound problem with user permissions, could you do example checkout (svn co) or listing (svn ls) normally?
I’m also seeing the same issue. I’ve seen posts claiming that this is a “case-sensitive” issue or that I should be using https:// instead of http:// but neither of these seems to fix the issue. Does anyone know what could be causing this issue and how to fix it??
Any help will be much appreciated!!
Thanks!!
Hi,
I want to isolate a group to a repository.
I have subversion set up through ldap.
Users in particular group can access all the repository. Users use TortiseSVN
#**************************************************
#LDAP AUTHENTICATION
#**************************************************
# Work around authz and SVNListParentPath issue
RedirectMatch ^(svn)$ $1/
DAV svn
SVNParentPath /path /to//svn/
SVNListParentPath on
# Limit write permission to list of valid users.
# Require SSL connection for password protection.
# SSLRequireSSL
AuthType Basic
AuthName “Authorization Realm”
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthLDAPBindDN “cn=name,……etc”
AuthLDAPBindPassword “password”
AuthLDAPURL “ldap://ldapname-port etc?uid?”
Require ldap-group cn=svnreadwrite,etc
Require ldap-group cn=svnreadonly,etc
Require ldap-group cn=svnreadwrite,cn=etc
DAV svn
SVNParentPath /path/to/my/mysite/
SVNPathAuthz off
Require ldap-group cn=svngrp1,cn=etc
I want the users in svngrp1 to access the mysite repository.
Thanks
Joe
Still facing Problem when file committing, can i Remove svn from and again install.
Hi Varun,
Simply remove repos and remove mod_dav_svn and subversion packages and svn (custom) config files.
Of course backup everything what you might need later.
Hi there,
I followed above guide from JR and it works well if case without access-control file
Problem is that I got access denied error after using any created account to login to
Below is my access-control. Could you pls help me find out reason ?
[groups]
admin = user1, user2
cltt = user3
gm = user4
srv = user5, user6
arts = user7
[repos:/]
@admin = rw
user1 = rw
[repos:/api_src]
@srv = rw
user1 = rw
[repos:/art_01]
@art = rw
[repos:/art_02]
@art = rw
[repos:/cltt_src
@cltt = rw
[repos:/gm_dsg]
@gm = rw
[repos:/srv_src]
@srv = rw
Hi,
To implement directory level permission in httpd.conf two modules i.e.authz_svn_module and dav_svn_modules are not loaded by default, in order to implement locking on direcotories loading these two and restarting httpd will work…Pls reply ASAP.
Hi josh,
Do you have some problem with setting directory level permissions?
I cant save changes to this file /etc/httpd/conf.d/subversion.conf file
Hi sam,
Did you tried as root user?
Its fine now, thanks for the effort, and I must say this is a great turorial!!