If Not True Then False

SVN (Subversion) Access Control with Apache and mod_authz_svn - Comment Page: 1

I just wrote guide, howto install SVN (Subversion) Server on Fedora, CentOS and Red Hat (RHEL). No I decided to write more information about SVN Access Control. This guide works if you have installed Apache, Subversion (SVN) and mod_dav_svn on any Linux system, like Ubuntu, Debian, Arch, Gentoo, not only Fedora, CentOS or Red Hat (RHEL). Setup SVN (Subversion) Access...
Categories:

97 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *

Input your comment.
help

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Input your name.

Simone

## Create testuser ##
htpasswd -m /etc/svn-auth-users testuser
New password:
Re-type new password:
Adding password for user testuser

## Create testuser2 ##
htpasswd -m /etc/svn-auth-users testuser2
New password:
Re-type new password:
Adding password for user testuser2

-cm create a new file (and delete old users!!!)

reply Reply
JR

Hi Simone,

Thank you for your correction, I changed this to blog post it was totally my mistake.

Btw. first time you could use -c option, when you are really creating new file.

reply Reply
Shad

Is there a way I can put a line break at the attribuition? Something like

[groups]
testgroup = testuser1, testuser2, testuser2, testuser3, testuser4,
testuser5, testuser6, testuser7, testuser8, testuser9

I need to do this cause there’s a group with many users.

reply Reply
JR

Hi Shad,

I think following syntax should work:


[groups]
testgroup = testuser1, testuser2, testuser2, testuser3, testuser4
testgroup = testuser5, testuser6, testuser7, testuser8, testuser9
testgroup = testuser10, testuser11, testuser12, testuser13, testuser14

Please let me know do you get it working? I can’t test this right now. :)

reply Reply
harti

Hi,

is there any chance to configure repository which is outside /var/www directory ? For example when i use /abc/svn istead of /var/www/svn and configure everything with this path, I’m getting the foloowing error:

“Could not open the requested SVN filesystem”

with /var/www/svn everything works fine with no errors.

reply Reply
JR

Hi harti,

I just checked SVN Install guide using /some_directory/svn and it’s working normally. Are you absolutely sure you change all paths on guide?

reply Reply
varun kumar

Hi
I have configured SVN server, and set SVN Access Control permission but all SVN user accessing all repos.

reply Reply
JR

Do you follow exactly all steps?

Could you post your configuration files?

reply Reply
varun kumar

groups]
Sadmin = Vijay
admin = bing, babu
developer = pranita,
mobideveloper = pradeep, king
SEO = among
designer = somanath

[/]
* = r
@sadmin = rw
@admin = rw

[Bills_Master:/Baseline]
king = rw
pranita = rw
bing =rw

[ISMS:/Testing]
@developer = rw
bing = rw

[SMS:/Development]
@developer = rw
bing = rw

[V3_Tablet:/]
pradeep = rw

[Tic_Tac_Toe:/]
bing = rw
king = rw

[Wing_Website:/]
bing = rw

[testrepo:/]
Vijay = rw

when we remove “below mentioned details” then all user getting error you have not permission

[/]
* = r
@sadmin = rw
@admin = rw

reply Reply
JR

If you remove those all then, yes anyone don’t have permissions to /. Other repos permissions should still work?

But yes if you want use your original setup then you can use following syntax to disallow read (and write) permission on some project:


...

[/]
* = r
@sadmin = rw
@admin = rw

[Bills_Master:/Baseline]
king = rw
pranita = rw
bing =rw
@designer = 

[ISMS:/Testing]
@developer = rw
bing = rw
among = 
king = 

..

So if you set “empty” permission, it should disable access on some repos or alternatively you can remove just * = r, but then only sadmin and admin groups have permission to access root, if you do not allow any other permissions, but all other permission should still work on specific repositories.

Please let me know, do you get it working with this help?

reply Reply
varun kumar

Hi
I have already created SVN structure like below
mkdir -p /var/svntmp/syn-structure-template/{Testing,Baseline,Trunk,management}
and it is working…..
but Now i want add 1 another name in svn structure so plz help ……….

reply Reply
JR

Hi varun,

You can do it simply with following command:


svn mkdir http://repoaddess/reponame/newdir
reply Reply
varun kumar

root@localhost ~]# svn mkdir http://var/www/svn/SKAI-Tata_DoCoMo/release
svn: Could not use external editor to fetch log message; consider setting the $SVN_EDITOR environment variable or using the –message (-m) or –file (-F) options
svn: None of the environment variables SVN_EDITOR, VISUAL or EDITOR are set, and no ‘editor-cmd’ run-time configuration option was found

reply Reply
JR

You need export editor (example vi):


export EDITOR=vi
svn mkdir http://var/www/svn/SKAI-Tata_DoCoMo/release

Or use svn (-m) message option:


svn mkdir http://var/www/svn/SKAI-Tata_DoCoMo/release -m "New directory"
reply Reply
jai

HI Varun,

Could u plz send me the correct steps to configure svn on server and client side.

reply Reply
vijay kumar

Hello friends,
first of all thanks a lot to share this this configure,By use of this i configure the svnsuccessfully, iam not able to set the permission to my all projects i follow all step as it is.
after that my all user able to login in any project repo.I use this command so i think the problem due to this
chcon -R -t httpd_sys_rw_content_t /var/www/svn/testrepo

i also add this file like this and make permission like that..

[groups]
Sadmin = Vijay
admin = bing, babu
developer = pranita,
mobideveloper = pradeep, king
SEO = among
designer = somanath

[/]
* = r
@sadmin = rw
@admin = rw

[Bills_Master:/Baseline]
king = rw
pranita = rw
bing =rw

[ISMS:/Testing]
@developer = rw
bing = rw

[SMS:/Development]
@developer = rw
bing = rw

[V3_Tablet:/]
pradeep = rw

[Tic_Tac_Toe:/]
bing = rw
king = rw

[Wing_Website:/]
bing = rw

[testrepo:/]
Vijay = rw

kindly help me to solve this problem, i need the help.

reply Reply
JR

Hi vijay kumar,

Please check following line on your permission file:


[/]
* = r
@sadmin = rw
@admin = rw

It add read permission to every repository for all users and groups?

reply Reply
vijay kumar

Hello JR

Thanks a lot for your quick help and guidence. you are doing great man. again thank you very much.

reply Reply
JR

Hello vijay,

You are welcome! Nice to hear that you got it working!

reply Reply
JR

Hi,

You can use svnadmin dump command, like:


svnadmin dump /path/to/your/repository > /backup/directory/repository.dump

More info with following command:


svnadmin dump --help
reply Reply
Vishal

Hi JR,

i want ur help for solving my problem. I installed this SVN in my CentOS 5.5 with all configuration as per given. Now i m stuck on ACL (Access Control List). i want to access the Repository from other system. i have created some users by command in /etc/svn-auth-conf file and given the permission in /etc/svn-acl-conf file.

In /etc/httpd/conf.d/subversion.conf i had given this location of Repository

DAV svn
SVNPath /var/www/svn/repos
SVNListParentPath On
AuthType Basic
AuthName “Subversion repos”
AuthUserFile /etc/svn-auth-conf
Require valid-user

now i can access the repository from another system by Tortoise SVN with specified user but problem is that the permission for only given to 1 user in svn-acl-conf file but rest of the user can also able to access without permission
and
whenever i insert
AuthzSVNAccessFile /etc/svn-acl-conf this line in the Location of Repository, while accessing from other system it shows an error while SVNcheckout.

This only error i want to resolve. i m facing this problem since 1 months. please kindly give me the solution so that i’ll go further.

reply Reply
JR

Hi Vishal,

Did you still have this problem? I have missed your question totally. :/

reply Reply
Vishal

Hi JR,

Thanks for reply. Yes i was facing that problem and it was not resolved yet. But i found another svn called UberSVN and i installed it on another system and it works excellent. No need of commands, its totally GUI based.
But still I want to solve that problem for future purpose.

reply Reply
JR

Could you post full error message and content of /etc/svn-auth-conf and /etc/svn-acl-conf files? You can of course change real names if you want.

reply Reply
Vishal

Hi JR,

Thanks for the reply. Now the condition is different. We are using UberSVN on our server. Our projects also on the same server but now through command when ever i am trying to do checkout in the empty directory it is showing “svn: E175013: Access to ‘/Test/!svn/rvr/3’ forbidden”.

There is already committed folder in Test/trunk/ folder by other user. So is there any solution for this?

One more thing is our Projects are on different drive, so on the same server can we use SVN and do commit, checkout, add, etc.?

Thanks in advance

reply Reply
JR

Hi Vishal,

Have you made any changes to SVN configurations recently? Or is some update changed your configuration?

Could you also check Apache access/error logs?

If you have right permissions and correct settings for subversion, then another drive should not be problem. You can even mount your drive with bind option, if you have problems with it.

reply Reply
Wardha

Hi JR,
Can you please help me by telling how can i get remote access in svn?when i want to access in svn server from another computer, browser show “you don’t have permission to access /svn on this server”please help me to solve this problem.
thank you.
Wardha

reply Reply
JR

Hi Wardha,

Is SVN working from localhost?

Could you access directly to some repository?

reply Reply
Wardha

Hi JR,
Thank you for replying.Yes,SVN is working from localhost. But I can’t access to the repositories.It shows the repositories but not the files inside it.
In remote browser, login page is come, but after login it show this message:

Forbidden
You don’t have permission to access /svn on this server.
Apache/2.2.15 (Red Hat) Server at 192.168.100.103 Port 80

Can you give me a solutions.

Thanks once again.

Wardha

reply Reply
JR

Hi Wardha,

Did you used same username and password what you created on step 2?

Could you post your svn-access-control list content?

reply Reply
varun kumar

Hi Team,
I have configure SVN structure. from browser i am able to go into particulr directory nd cn see committed projects but from linux server not able to find that committed project
http:///svn/Repos/Development/
can u plz tell me where to find my committed projects.
HElp would be appreciated.

reply Reply
Varun Kumar

Hi Team,

I want take backup of SVN server please help…. What is the Important for the backup in svn server.

reply Reply
JR

Hi Varun,

Do you have public web server running on same machine?

reply Reply
varun kumar

Yes i have Public web server and it is running on the same machine and now i want SVN not access by public IP and i cant remove Public IP from this System/ server, please help me.

reply Reply
JR

Okay, then you can’t block port 80.

Try following /etc/httpd/conf.d/subversion.conf:


LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
 

   DAV svn
   SVNParentPath /var/www/svn
   AuthType Basic
   AuthName "Subversion repositories"
   AuthUserFile /etc/svn-auth-users
   AuthzSVNAccessFile /etc/svn-access-control
   Require valid-user
   
   ## Deny from all and then allow localhost or some other local network ##
   Order deny,allow
   Deny from all
   Allow from 127.0.0.0/8

reply Reply
varun kumar

Hi
I have added below mentioned Line But it is still accessing by public IP

## Deny from all and then allow localhost or some other local network ##
Order deny,allow
Deny from all
Allow from 127.0.0.0/8

reply Reply
varun kumar

I want that svn access by local ip the LAN network not accessable by WAN network.

reply Reply
JR

Hi varun,

You have to add your own network to Allow from 127.0.0.0/8 or add several IPs or networks.

And remember that you need to reload/restart your web server.

reply Reply
Sky Is Falling

Great guide. Thank you.

SVN works great.

A question for you, if you don’t mind:
Is there a way to allow users to change their svn passwords?

Thanks.

reply Reply
JR

Hi Sky Is Falling,

You are welcome!

Good question, it’s possible, but then maybe some other authentication method might be much better than mod_authz_svn, what I use on this guide. You can check Apache HTTP Server – Authentication and Authorization modules, if you find some better method for your needs. Alternatively you can use example mod_auth_mysql or mod_auth_pgsql and create some simple web user interface to allow users change their svn passwords…

reply Reply
Varun Kumar

Hi Team,
my SVN server had crash but i had SVN backup.dump and again i installed svn and create 1 Repos and import backup in Repos and now user can login by URL but when he is committing project then showing error ACCESS DENIED
Please Help me.

reply Reply