On 2013-08-20 01:41, Nico Kadel-Garcia wrote: > I think he meant "subversion-1.6.11", which is the default version for > CentOS 6.4.
Check the SELinux settings in /etc/sysconfig/selinux. Set the line to 'SELINUX=permissive' (or disabled) After changing the SELINUX value a reboot is required Additional add a trailing '/' so you config looks so. RewriteEngine on # the trailing '/' in /svn/ is needed to browse repos with standart browser! RedirectMatch ^(/svn)$ $1/ <Location /svn/> DAV svn SVNParentPath /var/svn/ # Authentication: Digest AuthName "Subversion repository" AuthType Digest AuthUserFile /etc/svn-auth.htdigest # Authorization: Authenticated users only Require valid-user </Location> > > On Mon, Aug 19, 2013 at 6:19 PM, Ben Reser <[email protected]> wrote: > >> On 8/19/13 9:07 AM, Scott Frankel wrote: >>> I'm new to SVN server configuration and find myself setting up a CentOS >> 6.4 server with svn version 1.6.1, following the red-bean book. >> >> I'd strongly urge you not to use 1.6.1, see the list of applicable >> security issues here: >> http://subversion.apache.org/security/ >> >> If you're using the CentOS packages they may have patched those issues >> without updating the svn version number. You should check that though. >> >> If you're setting a new server I wouldn't start with 1.6.x but would go >> straight to 1.7.x or 1.8.x, probably 1.8.x if you can. >> >>> I'm having difficulty with authorization &/or authentication: my repo >> appears to be accessible by anyone in spite of requiring "valid-user" and >> specifying digest authentication. I believe this because 1) I can download >> a full working copy of the repo to a 3rd-party logged into a foreign >> computer, and 2) I have dozens of entries in apache's logfiles, like these >> from this morning, *prior* to any known/legitimate access to my repos today: >>> >>> svn_logfile: >>> [19/Aug/2013:00:46:32 +0000] - checkout-or-export / r1 depth=infinity >> >> That does indeed look like access without a user. >> >>> access_log >>> 93.174.93.213 - - [19/Aug/2013:07:23:50 +0000] "GET >> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" >>> >>> error_log >>> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not >> exist: /var/www/html/MyAdmin >> >> These however do not appear to be alarming at all. Neither of them are >> under the /svn Location on your server where you have put the Require >> valid-user requirement. They appear to me to be just normal probes run >> by someone looking for security holes. This sort of thing is just going >> to be a normal part of running a server on the Internet. >> >>> <Location /svn> >>> DAV svn >>> SVNParentPath /var/svn >>> >>> # Authentication: Digest >>> AuthName "Subversion repository" >>> AuthType Digest >>> AuthUserFile /etc/svn-auth.htdigest >>> >>> # Authorization: Authenticated users only >>> Require valid-user >>> </Location> >> >> I'm not seeing anything wrong with this, so I'm not sure why you're >> having a problem. You didn't mention it but I'm wondering what version >> of httpd you're running, I'm assuming 2.2.x since you're using 1.6.1 on >> CentOS 6.4. >> >> >
