Subversion all or nothing access to repo tree

Question

I'm having some problems setting up access to my Subversion repositories on a Linux server. The problem is that I can only seem to get an all-or-nothing structure going. Either everyone gets read access to everything or noone gets read or write access to anything.

The setup:

SVN repos are located in /www/svn/repoA,repoB,repoC...

Repositories are served by Apache, with Locations defined in etc/httpd/conf.d/subversion.conf as:

<Location /svn/repoA>
 DAV svn
 SVNPath /var/www/svn/repoA
 AuthType Basic
 AuthName "svn repo"
 AuthUserFile /var/www/svn/svn-auth.conf
 AuthzSVNAccessFile /var/www/svn/svn-access.conf
 Require valid-user
</Location>

<Location /svn/repoB>
 DAV svn
 SVNPath /var/www/svn/repoB
 AuthType Basic
 AuthName "svn repo"
 AuthUserFile /var/www/svn/svn-auth.conf
 AuthzSVNAccessFile /var/www/svn/svn-access.conf
 Require valid-user
</Location>

...

svn-access.conf is set up as:

[/]
* =

[/repoA]
* =
userA = rw

[/repoB]
* =
userB = rw

But checking out URL/svn/repoA as userA results in Access Forbidded.

Changing it to

[/]
* =
userA = r

[/repoA]
* =
userA = rw

[/repoB]
* =
userB = rw

gives userA read access to ALL repositories (including repoB) but only read access to repoA!

so in order for userA to get read-write access to repoB i need to add

[/]
userA = rw

which is mental.

I also tried changing

 Require valid-user

to

 Require user userA

for repoA in subversion.conf, but that only gave me read access to it.

I need a way to default deny everyone access to every repository, giving read/write access only when explicitly defined.

Can anyone tell me what I'm doing wrong here? I have spent a couple of hours testing and googling but come up empty, so now I'm doing the post of shame.

EDIT

I went with Shane's first solution and ended up with the following working config:

/etc/httpd/conf.d/subversion.conf:

<Location /svn>
    DAV svn
    SVNParentPath /var/www/svn

    AuthType Basic
    AuthName "Subversion repo"
    AuthUserFile /var/svn-auth.conf
    Require valid-user
</Location>

/var/svn-access.conf:

[/]
* =

[repoA:/]
* =
userA = rw

[repoB:/]
* =
userB = rw

Answer 1

The common theme in the problems that you're having is that your [/repoA] and [/repoB] sections are doing nothing whatsoever, right? There's a reason for that.

The paths you're authorizing are not relative to the location of the authz access file; they're relative to the SVN repository that it's handling access control for.

So, your [/] section? It grants access to both /svn/repoA/ and /svn/repoB/; it does not grant access to /svn/. Similarly, your [/repoA] section grants access to /svn/repoA/repoA and /svn/repoB/repoA; a rule for [/trunk] will grant access to both /svn/repoA/trunk and /svn/repoB/trunk.

You've set SVNPath directives for each of your repositories, but you're pointing to the same authorization files for each - so each repository has identical access rules. There's a syntax for setting different authorization for different repositories, but that's for when you're using SVNParentPath.

So, two options:

1. Switch to using SVNParentPath /var/www/svn instead of hard-defining each repo in your Apache config, and change your authz file to have repo-targeted permissions:

   [/]
   * =
   userA = r
   
   [repoA:/]
   * =
   userA = rw
   
   [repoB:/]
   * =
   userB = rw
   

2. Use different authz files for each repository, keeping in mind that the paths that access is being granted for is relative to the root of the repository.

Answer 2

Whoa. First off, I would remove that svn-auth.conf (and svn-access.conf) out of the directory that apache explicitly serves http requests from. Some malicious person comes along and requests that file and he has half your security figured out already without needing to try.

https://stackoverflow.com/questions/81361/how-to-setup-access-control-in-svn This answer seems to cover what you're looking for, I think.

Answer 3

You're mixing up one project per repository structure with Path-Based Authorization form.