Re: svn authz error: Access denied issue when running svn rm resource where the user should be able to have full access
Hi Daniel, can you please let me know if this is a case for which I should open a bug ticket, or this is something that has to do with the authz file contents. Kind Regards, Andrei On Thu, Jul 22, 2021 at 4:57 PM Andrei Cusnir wrote: > Hi Daniel, > thank for your reply, > i was able to confirm this behaviour on both svn server versions 1.12.2 > and 1.14.1 > current apache server > Apache/2.4.25 (Debian) SVN/1.14.1 OpenSSL/1.0.2u mod_wsgi/4.5.11 > Python/2.7 configured -- resuming normal operations > > the user that reported it first is having most recent client > SVN/1.14.1 (x64-microsoft-windows) serf/1.3.9 TortoiseSVN-1.14.1.29085 > i have following client > SVN/1.13.0 (x86_64-apple-darwin19.0.0) serf/1.3.9 > > > On Thu, Jul 22, 2021 at 4:51 PM Daniel Sahlberg < > daniel.l.sahlb...@gmail.com> wrote: > >> Den ons 21 juli 2021 kl 22:30 skrev Andrei Cusnir : >> >>> Hi, >>> here is my authz config file >>> >>> [groups] >>> r_users = Alexander_Lost >>> >>> [:glob:/] >>> * = rw >>> >>> [:glob:/**/*.uasset] >>> @r_users = rw >>> >>> [:glob:/**/Source/**] >>> @r_users = >>> >>> >>> user Alexander_Lost should be able to work with uasset type of files and >>> should not see anything that has Source in the global path >>> >>> when i am trying to remove a path >>> svn rm https://"Alexander_Lost"@ >>> subversion.assembla.com/svn/repo_name/branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset >>> -m "test uasset delete by andrei" >>> svn: E175013: Access to >>> '/svn/repo_name/!svn/txr/153436-3cur/branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset' >>> forbidden >>> >>> in apache logs i can see the following >>> >>> [Wed Jul 21 19:47:42.187161 2021] [authz_svn:error] [pid 1510:tid >>> 140015597156096] [client 188.26.223.19:42966] Access denied: >>> 'Alexander_Lost' DELETE >>> repo_name:/branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset >>> >>> >>> Please let me know if this is a config error or it is an authz bug. >>> >> >> Do you know what versions are you using for the server and for the client? >> >> There is an issue with the authorization rules in versions 1.10.0 until >> 1.14.0, fixed in 1.10.7 and 1.14.1. I'm not sure if it would cause problems >> for you but check the description in the release notes: >> http://subversion.apache.org/docs/release-notes/1.14.html#compat-misc-authz >> and see if it might apply. >> >> Kind regards, >> Daniel Sahlberg >> >>
Re: svn authz error: Access denied issue when running svn rm resource where the user should be able to have full access
Daniel Shahaf wrote on Sat, Jul 31, 2021 at 00:41:48 +: > Now, the delete logic should request a *non* recursive access check if > the thing to be deleted is a plain file in HEAD. > subversion/libsvn_repos/commit.c:delete_entry() > does behave this way — when the .uasset path identifies a non-directory > in HEAD, which is why I asked about that above — but if I'm reading > mod_authz_svn's code correctly, it requires svn_authz_recursive access > on all DELETE calls, regardless of whether a file or a directory is > being requested to be deleted. > > Which is to say, this would seem to be a bug in mod_authz_svn. The following test results in SKIP/PASS/XFAIL on ra_local/ra_svn/ra_serf, respectively. It's a bit rough — no comments and line length style violation — but putting it here for anyone who may want to take this further. When testing this I commented out the AuthzSVNReposRelativeAccessFile line in davautocheck.sh for reasons discussed in the "1.14.x test failure under USE_HTTPV1=1: ra-test 13 commit_empty_last_change" thread (the secondary problem in that thread, not the one the subject line is about). Cheers, Daniel [[[ Index: subversion/tests/cmdline/authz_tests.py === --- subversion/tests/cmdline/authz_tests.py (revision 1891909) +++ subversion/tests/cmdline/authz_tests.py (working copy) @@ -1732,6 +1732,25 @@ def empty_group(sbox): sbox.repo_url) +@XFail(svntest.main.is_ra_type_dav) +@Skip(svntest.main.is_ra_type_file) +def delete_file_with_starstar_rules(sbox): + "delete file with ** rules" + + sbox.build(create_wc = False) + + write_restrictive_svnserve_conf(sbox.repo_dir) + + prefixed_rules = dict() + prefixed_rules[':glob:/**/lorem'] = '* = \n' + prefixed_rules['/'] = '%s = rw\n' % (svntest.main.wc_author,) + prefixed_rules['/A'] = '%s = \n' % (svntest.main.wc_author,) + prefixed_rules['/iota'] = '%s = rw\n' % (svntest.main.wc_author,) + write_authz_file(sbox, None, prefixed_rules = prefixed_rules) + + svntest.main.run_svn(None, 'rm', sbox.repo_url + '/iota', '-m', 'Delete by URL') + + # Run the tests @@ -1771,6 +1790,7 @@ test_list = [ None, inverted_group_membership, group_member_empty_string, empty_group, + delete_file_with_starstar_rules, ] serial_only = True ]]]
Re: svn authz error: Access denied issue when running svn rm resource where the user should be able to have full access
Daniel Sahlberg wrote on Thu, Jul 22, 2021 at 16:51:02 +0200: > Den ons 21 juli 2021 kl 22:30 skrev Andrei Cusnir : > > [groups] > > r_users = Alexander_Lost > > > > [:glob:/] > > * = rw > > > > [:glob:/**/*.uasset] > > @r_users = rw > > > > [:glob:/**/Source/**] > > @r_users = > > Do you know what versions are you using for the server and for the client? > > There is an issue with the authorization rules in versions 1.10.0 until > 1.14.0, fixed in 1.10.7 and 1.14.1. I'm not sure if it would cause problems > for you but check the description in the release notes: > http://subversion.apache.org/docs/release-notes/1.14.html#compat-misc-authz > and see if it might apply. That issue is about the interaction of [reposname:/path] and [/path] stanzas. It doesn't seem related. Cheers, Daniel
Re: svn authz error: Access denied issue when running svn rm resource where the user should be able to have full access
[dev@: tl;dr: mod_authz_svn shouldn't require svn_authz_recursive access on DELETE when the target is a file] Andrei Cusnir wrote on Wed, Jul 21, 2021 at 21:58:04 +0200: > Hi, > here is my authz config file > > [groups] > r_users = Alexander_Lost > > [:glob:/] > * = rw > > [:glob:/**/*.uasset] > @r_users = rw > > [:glob:/**/Source/**] > @r_users = > > > user Alexander_Lost should be able to work with uasset type of files and > should not see anything that has Source in the global path > > when i am trying to remove a path > svn rm https://"Alexander_Lost"@ > subversion.assembla.com/svn/repo_name/branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset > -m "test uasset delete by andrei" > svn: E175013: Access to > '/svn/repo_name/!svn/txr/153436-3cur/branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset' > forbidden > > in apache logs i can see the following > > [Wed Jul 21 19:47:42.187161 2021] [authz_svn:error] [pid 1510:tid > 140015597156096] [client 188.26.223.19:42966] Access denied: > 'Alexander_Lost' DELETE > repo_name:/branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset > > > Please let me know if this is a config error or it is an authz bug. What's the output of «svn info ^/branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset@HEAD»? I'm looking for the Node Kind line. With your authz file, I get: % svnauthz accessof /path/to/your/authz/file --username Alexander_Lost --path /branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset --repository repo_name rw % svnauthz accessof /path/to/your/authz/file --username Alexander_Lost --path /branches/project_name/Projects/ShooterGame/Content/Mods/project_name/Assets/Foliage/Trees/StepeeGrass/Grass01/skwnorp_2K_Normal.uasset --repository repo_name -R no The authz functionality doesn't deal in revision numbers. That implies it doesn't deal in node kinds either (since node kinds can't be determined without resolving a node's path at a particular revision (or transaction)). That, in turn, means authz must treat /foo/bar/baz.asset as something that, for all it knows, might be a directory (at least in some historical revisions). Therefore, as soon as there's a a glob rule that might apply to at least one descendant of /foo/bar/baz.asset, and that would grant Alexander_Lost "" (aka "no") access, the answer to the recursive access check ought to become "no". I think that's what explains the svnauthz(1) results above. Now, the delete logic should request a *non* recursive access check if the thing to be deleted is a plain file in HEAD. subversion/libsvn_repos/commit.c:delete_entry() does behave this way — when the .uasset path identifies a non-directory in HEAD, which is why I asked about that above — but if I'm reading mod_authz_svn's code correctly, it requires svn_authz_recursive access on all DELETE calls, regardless of whether a file or a directory is being requested to be deleted. Which is to say, this would seem to be a bug in mod_authz_svn. Cheers, Daniel
