subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ricardo NUNEZ <r.nu...@groupeonepoint.com>
Subject May some account in group1 do some illegal modification into the group2 section?
Date Thu, 28 May 2015 18:23:47 GMT
Hi,



We're deploying a Subversion server 1.8.11 using Apache 2.4.12. All the clients are using
the 1.8 protocol.

Let's say we only have two groups. We want every account in those groups to have read access
to the whole repository, but read-write access to only their section. We're talking about
LDAP groups, so AuthzSVNAccessFile doesn't help much without using additional scripts.



I found that the following authentication/authorization configuration works well, supposing
that the base subversion URL is http://server/svn:



(...)
<RequireAny>
    <RequireAll>
        Require ldap-group CN=group1,OU=(...)
        <RequireAny>
            Require expr %{Request_URI} =~ m|^/svn/group1|
            Require expr %{Request_URI} =~ m|^/svn/\!svn|
            Require expr %{REQUEST_METHOD} in {'GET','OPTIONS','PROPFIND','REPORT'}
        </RequireAny>
    </RequireAll>

    <RequireAll>
        Require ldap-group CN=group2,OU=(...)
        <RequireAny>
            Require expr %{Request_URI} =~ m|^/svn/group2|
            Require expr %{Request_URI} =~ m|^/svn/\!svn|
            Require expr %{REQUEST_METHOD} in {'GET','OPTIONS','PROPFIND','REPORT'}
        </RequireAny>
    </RequireAll>
</RequireAny>
(...)



The real question here is that I don't know if we could be opening a potential security hole
because of the sentence: Require expr %{Request_URI} =~ m|^/svn/\!svn|. Looking at the apache
logs, I found that the URI '/svn/!svn(...)' appeared when trying to modify allowed information.



That is, given this configuration, is it possible that some account in group1 could do some
illegal modification into the group2 section?

Thank you!



Ricardo



PS: To find the read only HTTP methods, I used http://svn.apache.org/repos/asf/subversion/trunk/notes/http-and-webdav/webdav-protocol

Mime
View raw message