|
Hello, I have an observation on the mod_authz_svn Module in combination with an authorized user. I have a configuration with an Apache 2.4, mod_lua and Subversion modules 1.9.xx. This is my repo conf: <Location /svn/repo> DAV svn SVNPath "/.../repo" LuaHookCheckUserID "/etc/apache2/lua/hook.lua" authcheck_hook AuthzSVNAccessFile "/.../repo.access" Require valid-user </Location> As you can see, the authorization is done by the Lua-script. As I understand it, this can be used a full replacement to, for example Basic Authentication. My simple hook.lua accepts every user and sets the user-field
on the request-object (=the user is accepted): require 'apache2' function authcheck_hook(r) r.user = "myuser" r:debug("Accepted user " .. r.user) return apache2.OK end So In every case, the user gets authenticated which I can see in the log. Next, I call the webserver with a simple curl-Command: "curl http://localhost:4402/svn/repo" Case 1: - The accessfile configures my user to have access on repo-root: [repo:/] myuser = rw - The curl-Command shows me a repo-root but none of the files below. - The error_log shows, that my user got authorized on root: [Fri Jan 19 21:20:58.735108 2018] [authz_svn:info] [pid 3465:tid 140589093869312] [client ::1:59812] Access granted: 'myuser' GET (null) - But I'm not allowed to see a file below: [Fri Jan 19 21:20:58.735706 2018] [authz_svn:info] [pid 3465:tid 140589093869312] [client ::1:59812] Access denied: - GET repo:/muhmiau.txt Case 2: - The accessfile configures everybody to have access on repo-root: [repo:/] * = rw - The curl-Command shows me a repo-root and the files below. - The error-log tells, that my user is allowed to see the root and the file: [Fri Jan 19 21:26:03.803831 2018] [authz_svn:info] [pid 3425:tid 140589085476608] [client ::1:59814] Access granted: 'myuser' GET (null) [Fri Jan 19 21:26:03.806508 2018] [authz_svn:info] [pid 3425:tid 140589085476608] [client ::1:59814] Access granted: 'myuser' GET repo:/muhmiau.txt Case 3: - Now I have an accessfile, which allows everyone to rw, but not my user: [repo:/] * = rw myuser = - Curl shows me the full repo content - The error_log tells, that my user is allowed to see the root and the file: [Fri Jan 19 21:29:57.383442 2018] [authz_svn:info] [pid 3426:tid 140589085476608] [client ::1:59816] Access granted: 'myuser' GET (null) [Fri Jan 19 21:29:57.385402 2018] [authz_svn:info] [pid 3426:tid 140589085476608] [client ::1:59816] Access granted: - GET repo:/muhmiau.txt That raised several questions: 1. Why is my user not "known" for a special file in Case 1, when it generally works? (Case 2) 2. Why does the restriction of a right (Case 3) does not lead to a restricted view? As you can see in the log, the user is not known (like Case 1). For me, especially Case 3 looks suspicious.
Any help would be appreciated. Thanks and Kind Regards, Stefan |
|