Am Montag, den 22.01.2018, 13:12 +0100 schrieb Torsten Krah: > Good catch, but this does not explain the first example of the OP: > > [repo:/] > myuser = rw > - The client (curl) shows me the repo-root but none of the files below. > - The error_log shows, that my user got authorized on root: > [Fri Jan 19 21:20:58.735108 2018] [authz_svn:info] [pid 3465:tid > 140589093869312] [client ::1:59812] Access granted: 'myuser' GET (null) > - But I'm not allowed to see a file below: > [Fri Jan 19 21:20:58.735706 2018] [authz_svn:info] [pid 3465:tid > 140589093869312] [client ::1:59812] Access denied: - GET > repo:/muhmiau.txt > > > This should be allowed but fails, ideas? > > kind regards > > Torsten >
Just curious about that too - i did some further tests here with the latest svn trunk + httpd 2.4.29 and this config based on the "cfg" file from the basic_tests.py (just removed the basic auth part and put the lua call in): <Location /svn-test-work/repositories> DAV svn SVNParentPath "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories" LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early AuthzSVNAccessFile "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz" Require valid-user SVNAdvertiseV2Protocol on SVNCacheRevProps off </Location> 1. First test with this in authz file: [/] * = rw Then error.log reads like that if i request "basic_tests-10/iota" resource: http://localhost:3691/svn-test-work/repositories/basic_tests-10/iota [Tue Jan 23 14:24:43.181106 2018] [mpm_event:debug] [pid 25340:tid 140737265346304] event.c(2175): AH02471: start_threads: Using epoll (wakeable) [Tue Jan 23 14:24:53.068175 2018] [authz_svn:debug] [pid 25340:tid 140737127630592] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:17290] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068400 2018] [authz_svn:info] [pid 25340:tid 140737127630592] [client 127.0.0.1:17290] Access granted: - GET basic_tests-10:/iota, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068416 2018] [authz_core:debug] [pid 25340:tid 140737127630592] mod_authz_core.c(809): [client 127.0.0.1:17290] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068421 2018] [authz_core:debug] [pid 25340:tid 140737127630592] mod_authz_core.c(809): [client 127.0.0.1:17290] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068748 2018] [lua:debug] [pid 25340:tid 140737127630592] lua_request.c(1838): [client 127.0.0.1:17290] AH01486: request_rec->dispatching headers_in -> apr table, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068762 2018] [lua:debug] [pid 25340:tid 140737127630592] lua_request.c(1856): [client 127.0.0.1:17290] AH01488: request_rec->dispatching user -> string, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068768 2018] [lua:debug] [pid 25340:tid 140737127630592] lua_request.c(1856): [client 127.0.0.1:17290] AH01488: request_rec->dispatching user -> string, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068772 2018] [lua:debug] [pid 25340:tid 140737127630592] lua_request.c(1848): [client 127.0.0.1:17290] AH01487: request_rec->dispatching debug -> lua_CFunction, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068778 2018] [lua:debug] [pid 25340:tid 140737127630592] @/etc/apache2/auth.lua(23): [client 127.0.0.1:17290] user foo: OK, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068793 2018] [authz_svn:debug] [pid 25340:tid 140737127630592] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:17290] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:24:53.068823 2018] [authz_svn:info] [pid 25340:tid 140737127630592] [client 127.0.0.1:17290] Access granted: 'foo' GET basic_tests-10:/iota, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ So the access is granted in the first line to "-", after that authz_core determines that there is yet no user authenticated and the call flow reaches the configured lua auch hook via authz_core (1:1 from the httpd docs https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookaccesschecker) which sets the user and after that authz_svn:info is happy to grant access to user 'foo' for that resource in the last line - fine so far. Now the second test with that in authz file: [/] foo = rw This should work the same (shouldn't it) - the user will be 'foo' - but this is the debug output: [Tue Jan 23 14:31:56.714114 2018] [authz_svn:debug] [pid 27435:tid 140737127630592] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:17374] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ [Tue Jan 23 14:31:56.714376 2018] [authz_svn:error] [pid 27435:tid 140737127630592] [client 127.0.0.1:17374] Access denied: - GET basic_tests-10:/iota, referer: http://localhost:3691/svn-test-work/repositories/basic_tests-10/ After that the request is already answered with 403 and finished. mod_authz_core.c had not yet even a chance to run to the authentication phase and delegate that to the configured lua script. Any ideas why that request with the user "-" is denied here instead of processing the chain like above - meaning granted without knowing the user yet and later on verified and granted with the correct user? Ideas? Any hints where to put some breakpoints and post values here - i am not that familiar with the svn source to get the interesting method calls and values via some gdb help ;). kind regards Torsten
smime.p7s
Description: S/MIME cryptographic signature
