Avoid being kicked in the head when configuring anonymous Subversion access

Posted by on 2010/08/14 Leave a comment (0) Go to comments

Granting anonymous read-only access to a single repository in a site with multiple repos led to much swearing. But I’ve now cracked it. Here’s how…

What was I trying to do?

I’m running SVN via Apache, authenticating with basic HTTP auth. I have a few repositories in my SVN, and I wanted to grant anonymous read-only access to just one of them. So let us begin with

The naive solution

The first thing I tried was using something like this in my apache vhost:

   <Location />
      DAV                  svn
      SVNPath              /home/svn/
      Satisfy              Any
      AuthType             Basic
      AuthName             "param3 Subversion Repository"
      AuthUserFile         /etc/apache2/dav_svn.passwd
      AuthGroupFile        /dev/null
      AuthzSVNAccessFile   /etc/apache2/svn_auth.conf
      <LimitExcept         GET PROPFIND OPTIONS REPORT>
         Require           valid-user
      </LimitExcept>
   </Location>

(as recommended in most Google results for “read-only svn access”), where /etc/apache2/svn_auth.conf looked like this:

[code:/]
# everyone gets read-only access
* = r
# but only I can write here
sam = rw

[some_other_repo:/]
sam = rw

And indeed this behaved mostly as expected: I was able to anonymously check out a project from my code repo, but when I attempted to check in modifications I was asked to authenticate. WIN, right? Wrong. Because now any access to some_other_repo gave me a 403. WTF? I tried all kinds of variations on the vhost and svn_auth file, and cursed a lot, until I found the correct answer in the SVN book. So let's now look at

The correct solution

It turns out that we don't actually need the <LimitExcept FOO BAR> block at all. The vhost now looks like this

   <Location />
      DAV                  svn
      SVNParentPath        /home/svn/
      AuthzSVNAccessFile   /etc/apache2/svn_auth.conf

      Satisfy              Any
      Require              valid-user

      AuthType             Basic
      AuthName             "param3 Subversion Repository"
      AuthUserFile         /etc/apache2/dav_svn.passwd
      AuthGroupFile        /dev/null
   </Location>

and the magic actually happens in svn_auth.conf:

[some_other_repo:/]
# no access at all to unauthorised users
* =
sam = rw

[code:/]
* = r
sam = rw

Aha! This is made entirely of WIN! And once we have this, we can exert

Even finer-grained control

My svn_auth.conf now looks something like this:

[some_other_repo:/]
* =
sam = rw

[code:/]
* =
sam = rw

[code:/montecarlo]
* = r

so I'm granting anonymous access only to the montecarlo tree, and nothing else.

EDIT: Actually, I'm not sure about the fine-grained control stuff: when I had this set for more than one subtree, I was getting 403s again. Bears further investigation...

And all this so I can share this pointless bit of code.

Hope somebody finds this useful.

Bookmark and Share
tech, ,

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>