How to restrict access to a child SVN directory only?

Question

I'm trying to configure permissions for an SVN repository accessed through Apache 2. What I want is to let anyone access the root directory, while restricting to authenticated users a child directory. Example:

/demo
/demo/project1
/demo/project1/sensitive-data  # This path should require user authentication.
/demo/project2

At first, I thought this was as simple as:

<Location /demo>
    DAV svn
    SVNPath /home/svn/demo
    AuthType Basic
    AuthName demo
    AuthUserFile /etc/subversion/passwd
    <LimitExcept GET PROPFIND OPTIONS REPORT>
        Require valid-user
    </LimitExcept>
</Location>

<Location /demo/project1/sensitive-data>
    DAV svn
    Require valid-user
</Location>

When used through HTTP (for example with CURL), Apache conforms to the configuration: I can access:

and I get, as expected, a HTTP 401 Unauthorized when trying to retrieve http://example.com/demo/project1/sensitive-data.

On the other hand, doing:

svn checkout http://example.com/demo/ . or:
svn checkout http://example.com/demo/project1/ .

retrieves the whole directory tree, including demo/project1/sensitive-data.

At least, svn checkout http://example.com/demo/project1/sensitive-data/ . requests for a password.

How should I configure the permissions to restrict the access to sensitive-data directory when doing svn checkout http://example.com/demo/ .?

score 1 · Accepted Answer · answered Jan 09 '15 at 18:08

The <Location /demo/project1/sensitive-data> block is irrelevant when doing a checkout: it is used only when accessing http://example.com/demo/project1/sensitive-data directly, which is the reason why HTTP requests result in HTTP 401 Unauthorized and a checkout of this particular directory requires authentication.

The proper way to configure path-based authorization is explained in Subversion documentation:

<Location /demo> points to an access file:

<Location /demo>
    ...
    AuthzSVNAccessFile /etc/subversion/access.conf
    ...
</Location>

The access file defines who can access the specific files and directories. Basic example:

[/]
* = r                  # Everyone should be able to access the repository.

[/demo/project1/sensitive-data] # Note that there is no trailing slash.
* =                    # Nobody should access the sensitive directory.

Can this be used similarly in reverse? I want to give guest access to a sub-directory only, and disallow "guest" to browse the rest of the repository. Or maybe the easiest way would be to just create a separate repository? — Zack, Mar 10 '15 at 15:38
@Zack: I don't have a test environment right now, but I believe that yes, you can do that. Also relevant: [What are the permissions to set on SVN root?](http://serverfault.com/q/538036/39827) — Arseni Mourzenko, Mar 10 '15 at 15:47

How to restrict access to a child SVN directory only?

1 Answers1