MarkusH1975
commented
1 year ago See updated ACL: https://github.com/MarkusH1975/svnserver.svn.mh#svn-access-control
Open Rico-E opened 1 year ago
MarkusH1975
commented
1 year ago See updated ACL: https://github.com/MarkusH1975/svnserver.svn.mh#svn-access-control
MarkusH1975
commented
1 year ago https://linux.die.net/man/5/svnserve.conf
anon-access = none|read|write Determines the access level for unauthenticated users. write access allows all repository operations. read access allows all operations except committing and changing revision properties. none access allows no access. The default level is read. auth-access = none|read|write Determines the access level for authenticated users, using the same access levels as above. The default level is write.
Rico-E
commented
1 year ago I did all of the steps in the updated ACL. And I understand, what anon-access and auth-access are for. That's why I wrote, that I cannot get Authentication to work. Because I can only do read/write operations according to the level I set in anon-access, which shows that there is no authentication.
Do you know, why there is no password prompt, when I checkout?
I show you my complete configuration and post the content of all three files:
svnserve.conf
### This file controls the configuration of the svnserve daemon, if you
### use it to allow access to this repository. (If you only allow
### access through http: and/or file: URLs, then this file is
### irrelevant.)
### Visit http://subversion.apache.org/ for more information.
[general]
### The anon-access and auth-access options control access to the
### repository for unauthenticated (a.k.a. anonymous) users and
### authenticated users, respectively.
### Valid values are "write", "read", and "none".
### Setting the value to "none" prohibits both reading and writing;
### "read" allows read-only access, and "write" allows complete
### read/write access to the repository.
### The sample settings below are the defaults and specify that anonymous
### users have read-only access to the repository, while authenticated
### users have read and write access to the repository.
# anon-access = read
anon-access=read
auth-access=write
### The password-db option controls the location of the password
### database file. Unless you specify a path starting with a /,
### the file's location is relative to the directory containing
### this configuration file.
### If SASL is enabled (see below), this file will NOT be used.
### Uncomment the line below to use the default password file.
password-db=passwd
### The authz-db option controls the location of the authorization
### rules for path-based access control. Unless you specify a path
### starting with a /, the file's location is relative to the
### directory containing this file. The specified path may be a
### repository relative URL (^/) or an absolute file:// URL to a text
### file in a Subversion repository. If you don't specify an authz-db,
### no path-based access control is done.
### Uncomment the line below to use the default authorization file.
# authz-db = authz
### The groups-db option controls the location of the file with the
### group definitions and allows maintaining groups separately from the
### authorization rules. The groups-db file is of the same format as the
### authz-db file and should contain a single [groups] section with the
### group definitions. If the option is enabled, the authz-db file cannot
### contain a [groups] section. Unless you specify a path starting with
### a /, the file's location is relative to the directory containing this
### file. The specified path may be a repository relative URL (^/) or an
### absolute file:// URL to a text file in a Subversion repository.
### This option is not being used by default.
# groups-db = groups
### This option specifies the authentication realm of the repository.
### If two repositories have the same authentication realm, they should
### have the same password database, and vice versa. The default realm
### is repository's uuid.
# realm = My First Repository
### The force-username-case option causes svnserve to case-normalize
### usernames before comparing them against the authorization rules in the
### authz-db file configured above. Valid values are "upper" (to upper-
### case the usernames), "lower" (to lowercase the usernames), and
### "none" (to compare usernames as-is without case conversion, which
### is the default behavior).
# force-username-case = none
### The hooks-env options specifies a path to the hook script environment
### configuration file. This option overrides the per-repository default
### and can be used to configure the hook script environment for multiple
### repositories in a single file, if an absolute path is specified.
### Unless you specify an absolute path, the file's location is relative
### to the directory containing this file.
# hooks-env = hooks-env
[sasl]
### This option specifies whether you want to use the Cyrus SASL
### library for authentication. Default is false.
### Enabling this option requires svnserve to have been built with Cyrus
### SASL support; to check, run 'svnserve --version' and look for a line
### reading 'Cyrus SASL authentication is available.'
# use-sasl = true
### These options specify the desired strength of the security layer
### that you want SASL to provide. 0 means no encryption, 1 means
### integrity-checking only, values larger than 1 are correlated
### to the effective key length for encryption (e.g. 128 means 128-bit
### encryption). The values below are the defaults.
# min-encryption = 0
# max-encryption = 256passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
# harry = harryssecret
# sally = sallyssecret
SvnNutzer = GeheimesPasswortauthz
### This file is an example authorization file for svnserve.
### Its format is identical to that of mod_authz_svn authorization
### files.
### As shown below each section defines authorizations for the path and
### (optional) repository specified by the section name.
### The authorizations follow. An authorization line can refer to:
### - a single user,
### - a group of users defined in a special [groups] section,
### - an alias defined in a special [aliases] section,
### - all authenticated users, using the '$authenticated' token,
### - only anonymous users, using the '$anonymous' token,
### - anyone, using the '*' wildcard.
###
### A match can be inverted by prefixing the rule with '~'. Rules can
### grant read ('r') access, read-write ('rw') access, or no access
### ('').
[aliases]
# joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average
[groups]
# harry_and_sally = harry,sally
# harry_sally_and_joe = harry,sally,&joe
# [/foo/bar]
# harry = rw
# &joe = r
# * =
# [repository:/baz/fuz]
# @harry_and_sally = rw
# * = rClient Side: Try to move/delete ~/.subversion
Do NEW checkout svn co --username harry svn://serverip/myRepo1/
You should get password prompt. Or use --password geheim to give password on command line.
Rico-E
commented
1 year ago I have a windows client. With the following svn version:
C:\Users\Me\Documents\Repos> svn --version
svn, version 1.14.2 (r1899510)
compiled Sep 24 2022, 10:21:16 on x86-microsoft-windows
Copyright (C) 2022 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/
The following repository access (RA) modules are available:
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
- using serf 1.3.9 (compiled with 1.3.9)
- handles 'http' scheme
- handles 'https' scheme
The following authentication credential caches are available:
* Wincrypt cache in C:\Users\Me\AppData\Roaming\SubversionSo I emptied the auth directory under C:\Users\Me\AppData\Roaming\Subversion, but I don't get a password prompt.
And it makes no difference, if I add --password GeheimesPasswort. I am still not authenticated. I still have only the anon-access-rights.
My client side config file looks like:
### This file configures various client-side behaviors.
###
### The commented-out examples below are intended to demonstrate
### how to use this file.
### Section for authentication and authorization customizations.
[auth]
### Set password stores used by Subversion. They should be
### delimited by spaces or commas. The order of values determines
### the order in which password stores are used.
### Valid password stores:
### gnome-keyring (Unix-like systems)
### kwallet (Unix-like systems)
### gpg-agent (Unix-like systems)
### keychain (Mac OS X)
### windows-cryptoapi (Windows)
# password-stores = windows-cryptoapi
### To disable all password stores, use an empty list:
# password-stores =
###
### Set ssl-client-cert-file-prompt to 'yes' to cause the client
### to prompt for a path to a client cert file when the server
### requests a client cert but no client cert file is found in the
### expected place (see the 'ssl-client-cert-file' option in the
### 'servers' configuration file). Defaults to 'no'.
# ssl-client-cert-file-prompt = no
###
### The rest of the [auth] section in this file has been deprecated.
### Both 'store-passwords' and 'store-auth-creds' can now be
### specified in the 'servers' file in your config directory
### and are documented there. Anything specified in this section
### is overridden by settings specified in the 'servers' file.
# store-passwords = no
# store-auth-creds = no
### Section for configuring external helper applications.
[helpers]
### Set editor-cmd to the command used to invoke your text editor.
### This will override the environment variables that Subversion
### examines by default to find this information ($EDITOR,
### et al).
# editor-cmd = editor (vi, emacs, notepad, etc.)
### Set diff-cmd to the absolute path of your 'diff' program.
### This will override the compile-time default, which is to use
### Subversion's internal diff implementation.
# diff-cmd = diff_program (diff, gdiff, etc.)
### Diff-extensions are arguments passed to an external diff
### program or to Subversion's internal diff implementation.
### Set diff-extensions to override the default arguments ('-u').
# diff-extensions = -u -p
### Set diff3-cmd to the absolute path of your 'diff3' program.
### This will override the compile-time default, which is to use
### Subversion's internal diff3 implementation.
# diff3-cmd = diff3_program (diff3, gdiff3, etc.)
### Set diff3-has-program-arg to 'yes' if your 'diff3' program
### accepts the '--diff-program' option.
# diff3-has-program-arg = [yes | no]
### Set merge-tool-cmd to the command used to invoke your external
### merging tool of choice. Subversion will pass 5 arguments to
### the specified command: base theirs mine merged wcfile
# merge-tool-cmd = merge_command
### Section for configuring tunnel agents.
[tunnels]
### Configure svn protocol tunnel schemes here. By default, only
### the 'ssh' scheme is defined. You can define other schemes to
### be used with 'svn+scheme://hostname/path' URLs. A scheme
### definition is simply a command, optionally prefixed by an
### environment variable name which can override the command if it
### is defined. The command (or environment variable) may contain
### arguments, using standard shell quoting for arguments with
### spaces. The command will be invoked as:
### <command> <hostname> svnserve -t
### (If the URL includes a username, then the hostname will be
### passed to the tunnel agent as <user>@<hostname>.) If the
### built-in ssh scheme were not predefined, it could be defined
### as:
# ssh = $SVN_SSH ssh -q --
### If you wanted to define a new 'rsh' scheme, to be used with
### 'svn+rsh:' URLs, you could do so as follows:
# rsh = rsh --
### Or, if you wanted to specify a full path and arguments:
# rsh = /path/to/rsh -l myusername --
### On Windows, if you are specifying a full path to a command,
### use a forward slash (/) or a paired backslash (\\) as the
### path separator. A single backslash will be treated as an
### escape for the following character.
### Section for configuring miscellaneous Subversion options.
[miscellany]
### Set global-ignores to a set of whitespace-delimited globs
### which Subversion will ignore in its 'status' output, and
### while importing or adding files and directories.
### '*' matches leading dots, e.g. '*.rej' matches '.foo.rej'.
# global-ignores = *.o *.lo *.la *.al .libs *.so *.so.[0-9]* *.a *.pyc *.pyo __pycache__
# *.rej *~ #*# .#* .*.swp .DS_Store [Tt]humbs.db
### Set log-encoding to the default encoding for log messages
# log-encoding = latin1
### Set use-commit-times to make checkout/update/switch/revert
### put last-committed timestamps on every file touched.
# use-commit-times = yes
### Set no-unlock to prevent 'svn commit' from automatically
### releasing locks on files.
# no-unlock = yes
### Set mime-types-file to a MIME type registry file, used to
### provide hints to Subversion's MIME type auto-detection
### algorithm.
# mime-types-file = /path/to/mime.types
### Set preserved-conflict-file-exts to a whitespace-delimited
### list of patterns matching file extensions which should be
### preserved in generated conflict file names. By default,
### conflict files use custom extensions.
# preserved-conflict-file-exts = doc ppt xls od?
### Set enable-auto-props to 'yes' to enable automatic properties
### for 'svn add' and 'svn import', it defaults to 'no'.
### Automatic properties are defined in the section 'auto-props'.
# enable-auto-props = yes
### Set interactive-conflicts to 'no' to disable interactive
### conflict resolution prompting. It defaults to 'yes'.
# interactive-conflicts = no
### Set memory-cache-size to define the size of the memory cache
### used by the client when accessing a FSFS repository via
### ra_local (the file:// scheme). The value represents the number
### of MB used by the cache.
# memory-cache-size = 16
### Set diff-ignore-content-type to 'yes' to cause 'svn diff' to
### attempt to show differences of all modified files regardless
### of their MIME content type. By default, Subversion will only
### attempt to show differences for files believed to have human-
### readable (non-binary) content. This option is especially
### useful when Subversion is configured (via the 'diff-cmd'
### option) to employ an external differencing tool which is able
### to show meaningful differences for binary file formats. [New
### in 1.9]
# diff-ignore-content-type = no
### Section for configuring automatic properties.
[auto-props]
### The format of the entries is:
### file-name-pattern = propname[=value][;propname[=value]...]
### The file-name-pattern can contain wildcards (such as '*' and
### '?'). All entries which match (case-insensitively) will be
### applied to the file. Note that auto-props functionality
### must be enabled, which is typically done by setting the
### 'enable-auto-props' option.
# *.c = svn:eol-style=native
# *.cpp = svn:eol-style=native
# *.h = svn:keywords=Author Date Id Rev URL;svn:eol-style=native
# *.dsp = svn:eol-style=CRLF
# *.dsw = svn:eol-style=CRLF
# *.sh = svn:eol-style=native;svn:executable
# *.txt = svn:eol-style=native;svn:keywords=Author Date Id Rev URL;
# *.png = svn:mime-type=image/png
# *.jpg = svn:mime-type=image/jpeg
# Makefile = svn:eol-style=native
### Section for configuring working copies.
[working-copy]
### Set to a list of the names of specific clients that should use
### exclusive SQLite locking of working copies. This increases the
### performance of the client but prevents concurrent access by
### other clients. Third-party clients may also support this
### option.
### Possible values:
### svn (the command line client)
# exclusive-locking-clients =
### Set to true to enable exclusive SQLite locking of working
### copies by all clients using the 1.8 APIs. Enabling this may
### cause some clients to fail to work properly. This does not have
### to be set for exclusive-locking-clients to work.
# exclusive-locking = false
### Set the SQLite busy timeout in milliseconds: the maximum time
### the client waits to get access to the SQLite database before
### returning an error. The default is 10000, i.e. 10 seconds.
### Longer values may be useful when exclusive locking is enabled.
# busy-timeout = 10000And my Client side servers file looks like:
### This file specifies server-specific parameters,
### including HTTP proxy information, HTTP timeout settings,
### and authentication settings.
###
### The currently defined server options are:
### http-proxy-host Proxy host for HTTP connection
### http-proxy-port Port number of proxy host service
### http-proxy-username Username for auth to proxy service
### http-proxy-password Password for auth to proxy service
### http-proxy-exceptions List of sites that do not use proxy
### http-timeout Timeout for HTTP requests in seconds
### http-compression Whether to compress HTTP requests
### (yes/no/auto).
### http-max-connections Maximum number of parallel server
### connections to use for any given
### HTTP operation.
### http-chunked-requests Whether to use chunked transfer
### encoding for HTTP requests body.
### http-auth-types List of HTTP authentication types.
### ssl-authority-files List of files, each of a trusted CA
### ssl-trust-default-ca Trust the system 'default' CAs
### ssl-client-cert-file PKCS#12 format client certificate file
### ssl-client-cert-password Client Key password, if needed.
### ssl-pkcs11-provider Name of PKCS#11 provider to use.
### http-library Which library to use for http/https
### connections.
### http-bulk-updates Whether to request bulk update
### responses or to fetch each file
### in an individual request.
### store-passwords Specifies whether passwords used
### to authenticate against a
### Subversion server may be cached
### to disk in any way.
### store-plaintext-passwords Specifies whether passwords may
### be cached on disk unencrypted.
### store-ssl-client-cert-pp Specifies whether passphrase used
### to authenticate against a client
### certificate may be cached to disk
### in any way
### store-ssl-client-cert-pp-plaintext
### Specifies whether client cert
### passphrases may be cached on disk
### unencrypted (i.e., as plaintext).
### store-auth-creds Specifies whether any auth info
### (passwords, server certs, etc.)
### may be cached to disk.
### username Specifies the default username.
###
### Set store-passwords to 'no' to avoid storing new passwords on
### disk in any way, including in password stores. It defaults to
### 'yes', but Subversion will never save your password to disk in
### plaintext unless explicitly configured to do so.
###
### Set store-plaintext-passwords to 'no' to avoid storing new
### passwords in unencrypted form in the auth/ area of your config
### directory. Set it to 'yes' to allow Subversion to store
### unencrypted passwords in the auth/ area. The default is
### 'ask', which means that Subversion will ask you before
### saving a password to disk in unencrypted form. Note that
### this option has no effect if either 'store-passwords' or
### 'store-auth-creds' is set to 'no'.
###
### Set store-ssl-client-cert-pp to 'no' to avoid storing new ssl
### client certificate passphrases in the auth/ area of your
### config directory. It defaults to 'yes', but Subversion will
### never save your passphrase to disk in plaintext unless
### explicitly configured to do so.
###
### Set store-ssl-client-cert-pp-plaintext to 'no' to avoid storing
### new passphrases in unencrypted form in the auth/ area of your
### config directory. Set it to 'yes' to allow Subversion to
### store unencrypted passphrases in the auth/ area. The default
### is 'ask', which means that Subversion will prompt before
### saving a passphrase to disk in unencrypted form. Note that
### this option has no effect if either 'store-auth-creds' or
### 'store-ssl-client-cert-pp' is set to 'no'.
###
### Set store-auth-creds to 'no' to avoid storing any new Subversion
### credentials in the auth/ area of your config directory.
### Note that this includes SSL server certificates.
### It defaults to 'yes'.
###
### Note that setting a 'store-*' option to 'no' only prevents
### saving of *new* passwords, passphrases or other credentials.
### It does not remove or invalidate existing stored credentials.
### To do that, see the 'svn auth --remove' command, or remove the
### cache files by hand as described in the Subversion book at
### http://svnbook.red-bean.com/nightly/en/svn.serverconfig.netmodel.html#svn.tour.initial.authn-cache-purge
###
### HTTP timeouts, if given, are specified in seconds. A timeout
### of 0, i.e. zero, causes a builtin default to be used.
###
### Most users will not need to explicitly set the http-library
### option, but valid values for the option include:
### 'serf': Serf-based module (Subversion 1.5 - present)
### Availability of these modules may depend on your specific
### Subversion distribution.
###
### The commented-out examples below are intended only to
### demonstrate how to use this file; any resemblance to actual
### servers, living or dead, is entirely coincidental.
### In the 'groups' section, the URL of the repository you're
### trying to access is matched against the patterns on the right.
### If a match is found, the server options are taken from the
### section with the corresponding name on the left.
[groups]
# group1 = *.collab.net
# othergroup = repository.blarggitywhoomph.com
# thirdgroup = *.example.com
### Information for the first group:
# [group1]
# http-proxy-host = proxy1.some-domain-name.com
# http-proxy-port = 80
# http-proxy-username = blah
# http-proxy-password = doubleblah
# http-timeout = 60
# store-plaintext-passwords = no
# username = harry
### Information for the second group:
# [othergroup]
# http-proxy-host = proxy2.some-domain-name.com
# http-proxy-port = 9000
# No username and password for the proxy, so use the defaults below.
### You can set default parameters in the 'global' section.
### These parameters apply if no corresponding parameter is set in
### a specifically matched group as shown above. Thus, if you go
### through the same proxy server to reach every site on the
### Internet, you probably just want to put that server's
### information in the 'global' section and not bother with
### 'groups' or any other sections.
###
### Most people might want to configure password caching
### parameters here, but you can also configure them per server
### group (per-group settings override global settings).
###
### If you go through a proxy for all but a few sites, you can
### list those exceptions under 'http-proxy-exceptions'. This only
### overrides defaults, not explicitly matched server names.
###
### 'ssl-authority-files' is a semicolon-delimited list of files,
### each pointing to a PEM-encoded Certificate Authority (CA)
### SSL certificate. See details above for overriding security
### due to SSL.
[global]
# http-proxy-exceptions = *.exception.com, www.internal-site.org
# http-proxy-host = defaultproxy.whatever.com
# http-proxy-port = 7000
# http-proxy-username = defaultusername
# http-proxy-password = defaultpassword
# http-compression = auto
# No http-timeout, so just use the builtin default.
# ssl-authority-files = /path/to/CAcert.pem;/path/to/CAcert2.pem
#
# Password / passphrase caching parameters:
# store-passwords = no
# store-ssl-client-cert-pp = no
# store-plaintext-passwords = no
# store-ssl-client-cert-pp-plaintext = no
Hi, I have been trying for hours to get the authentication working. I did all of the steps, that you explained. Espacially adding the user to the
volume/svnrepo/myRepo1/conf/passwdfileBut I can only checkout when I edit the
volume/svnrepo/myRepo1/conf/svnserve.conffile and write:(by default it was both commented out). But then I can not commit. When I try to commit I always get the error
Only when I write
anon-access=writeI can commit.I would love to be able to set
anon-access=none, but then I can't even checkout. And what puzzles me is, that I do not get a password prompt, when do not specify a password.Shouldn't there be a password prompt?
I am totally out of ideas. Can anyone help?