If Not True Then False

SVN (Subversion) Access Control with Apache and mod_authz_svn - Comment Page: 2

I just wrote guide, howto install SVN (Subversion) Server on Fedora, CentOS and Red Hat (RHEL). No I decided to write more information about SVN Access Control. This guide works if you have installed Apache, Subversion (SVN) and mod_dav_svn on any Linux system, like Ubuntu, Debian, Arch, Gentoo, not only Fedora, CentOS or Red Hat (RHEL). Setup SVN (Subversion) Access...
Categories:

96 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *

Input your comment.
help

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Input your name.

Varun Kumar

Hi Team,
my SVN server had crash but i had SVN backup.dump and again i installed svn and create 1 Repos and import backup in Repos and now user can login by URL but when he is committing project then showing error ACCESS DENIED
Please Help me.

reply Reply
JR

Hi Varun Kumar,

Could you tell more about your current setup? This sounds Access Control problem if SVN is working, but user can’t commit.

Could you post your Access Control file content? You can of course change user names if you want.

reply Reply
Varun Kumar

[groups]
Administrator = Varun, Vijay, Anamika, Babu
Developer = Abhishek, Sumit, satya, Pradeep, Anita, Rahul, Ankit, Vivek
Designer = Sohan, Vivek

[/]
#* = r
@Administrator = rw
@Designer =

[Repos:/]
@Developer = rw
@Designer =

reply Reply
Varun Kumar

Hi Team

Below mentioned Access control File.

[groups]
Administrator = Varun, Vijay, Anamika, Babu
Developer = Abhishek, Sumit, satya, Pradeep, Anita, Rahul, Ankit, Vivek
Designer = Sohan, Vivek

[/]
#* = r
@Administrator = rw
@Designer =

[Repos:/]
@Developer = rw
@Designer =

reply Reply
JR

Thanks, I assume that users who have rw permission can’t commit?

Do you have SELinux enabled?


grep -v "#" /etc/sysconfig/selinux

Could you also post output of following commands:


ls -laZ /path/svn

ls -laZ /path/svn/repo

You can of course change file names and repo name.

reply Reply
Varun Kumar

Hi output of the given Command,

root@localhost ~]# ls -laZ /var/www/svn/Repos/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 ..
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 conf
drwxr-sr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 db
-r–r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 format
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 hooks
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 locks
-rw-r–r–. root root unconfined_u:object_r:httpd_sys_content_t:s0 README.txt
[root@localhost ~]# ls -laZ /var/www/svn/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 Repos
[root@localhost ~]#
(4:52 PM) vijay.k: [root@localhost ~]# grep -v “#” /etc/sysconfig/selinux

SELINUX=enforcing
SELINUXTYPE=targeted

reply Reply
JR

Thanks, first set httpd_sys_rw_content_t instead of httpd_sys_content_t:


chcon -R -t httpd_sys_rw_content_t /var/www/svn

Then try commit again, is it working then? If not could you post full error message?

reply Reply
Varun Kumar

Hi Team,
when i commit Project in SVN reposetry then getting error: –
Cant open file ‘/var/www/svn/Repos1/dv/txn-current-lock’: Permission Denied
Please Help …

reply Reply
JR

Hi Varun,

Do you have right permissions on your repo? Normally user: apache and group: apache.


chown -R apache:apache /var/www/svn/Repos1
reply Reply
Varun Kumar

Hi team,

i have used chown -R apache:apache /var/www/svn/Repos1 command but now i am getting another error:-
svn:- Server sent unexpected return value (403 Forbidden)in responce to MKACTIVITY REQUEST FOR ‘/SVN/Repos1/!svn/act/act627d94a5-1d65-42bf-b88c-b1b28ee0d0ac

reply Reply
Varun Kumar

Hi team,

i have used chown -R apache:apache /var/www/svn/Repos1 command but now i am getting another error:-
svn:- Server sent unexpected return value (403 Forbidden)in responce to MKACTIVITY REQUEST FOR ‘/SVN/Repos1/!svn/act/act627d94a5-1d65-42bf-b88c-b1b28ee0d0ac

Please help…..

reply Reply
JR

Hi Varun,

For me this sound problem with user permissions, could you do example checkout (svn co) or listing (svn ls) normally?

reply Reply
Joe C.

I’m also seeing the same issue. I’ve seen posts claiming that this is a “case-sensitive” issue or that I should be using https:// instead of http:// but neither of these seems to fix the issue. Does anyone know what could be causing this issue and how to fix it??

Any help will be much appreciated!!

Thanks!!

reply Reply
joe

Hi,

I want to isolate a group to a repository.

I have subversion set up through ldap.
Users in particular group can access all the repository. Users use TortiseSVN

#**************************************************
#LDAP AUTHENTICATION
#**************************************************
# Work around authz and SVNListParentPath issue
RedirectMatch ^(svn)$ $1/

DAV svn
SVNParentPath /path /to//svn/
SVNListParentPath on

# Limit write permission to list of valid users.
# Require SSL connection for password protection.
# SSLRequireSSL

AuthType Basic
AuthName “Authorization Realm”
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthLDAPBindDN “cn=name,……etc”
AuthLDAPBindPassword “password”
AuthLDAPURL “ldap://ldapname-port etc?uid?”

Require ldap-group cn=svnreadwrite,etc
Require ldap-group cn=svnreadonly,etc

Require ldap-group cn=svnreadwrite,cn=etc

DAV svn
SVNParentPath /path/to/my/mysite/
SVNPathAuthz off

Require ldap-group cn=svngrp1,cn=etc

I want the users in svngrp1 to access the mysite repository.

Thanks
Joe

reply Reply
Varun Kumar

Still facing Problem when file committing, can i Remove svn from and again install.

reply Reply
JR

Hi Varun,

Simply remove repos and remove mod_dav_svn and subversion packages and svn (custom) config files.

Of course backup everything what you might need later.

reply Reply
ngphban

Hi there,

I followed above guide from JR and it works well if case without access-control file
Problem is that I got access denied error after using any created account to login to

Below is my access-control. Could you pls help me find out reason ?

[groups]
admin = user1, user2
cltt = user3
gm = user4
srv = user5, user6
arts = user7

[repos:/]
@admin = rw
user1 = rw

[repos:/api_src]
@srv = rw
user1 = rw

[repos:/art_01]
@art = rw

[repos:/art_02]
@art = rw

[repos:/cltt_src
@cltt = rw

[repos:/gm_dsg]
@gm = rw

[repos:/srv_src]
@srv = rw

reply Reply
josh

Hi,
To implement directory level permission in httpd.conf two modules i.e.authz_svn_module and dav_svn_modules are not loaded by default, in order to implement locking on direcotories loading these two and restarting httpd will work…Pls reply ASAP.

reply Reply
JR

Hi josh,

Do you have some problem with setting directory level permissions?

reply Reply
sam

I cant save changes to this file /etc/httpd/conf.d/subversion.conf file

reply Reply
sam

Its fine now, thanks for the effort, and I must say this is a great turorial!!

reply Reply
varun Kumar

error while creating module: org.tigris:subversion.javal.clientException :RA Layerrequest failed
svn: server sent unexpected return value (403 Forbidden) in response to MKACTIVITY request for /SVN/Repos/!Svn/act/3b9f9810-2eb1-4a37-a16832f74506b35a

reply Reply
Arunkumar

Hi,
Am using SVN for my project to commit my codes. we have different users using our repository. we are using hudson for build and deployment. So once i start the build process i would like to restrict other users to commit the code i.e; making other users to read oly mode. is it possible to do some thing with svn_access file?. this should be done automatically on every build. Could some help on this?

reply Reply
JR

Hi Arunkumar,

It should be possible, when you change permission “r” to all users, but maybe better way is create new tag, when you have new release, like:


svn copy http://svnserver/svn/project/trunk http://svnserver/svn/project/tags/1.0.1 -m "Release 1.0.1"

Then build your release tag and all users can use (read and write) repository (trunk) normally.

reply Reply
Jirong Hu

Do you have instruction on how to integrate Apache/SVN/LDAP? I just can’t make it work after two days.

reply Reply