In looking at the Apache error log file, it shows I am granted access to
the svn repo when I use TortoiseSVN to browse the repo. I should NOT be
allowed access since the id, utcaus\leftism, is not in the Bethtestteam
group which is allowed access to Beth_test repo. (My id is in the admin
group which has r/w to the / area.
E:/etc/.svnaccess:
[groups]
admin = utcaus\loftism, utcaus\vasquer-a, utcaus\g0044320
#
SVNtestteam = utcaus\haugsch, utcaus\welcher, utcaus\vasquer-a, utcaus\
g0044320
#
Bethtestteam = utcaus\welcher, utcaus\vasquer-a, utcaus\g0044320
#
[/]
@admin = rw
#
[SVN_test:/]
@SVNtestteam = rw
#
[Beth_test:/]
@Bethtestteam = rw
Error log file shows it granted access (which it should not):
[Tue Sep 27 13:23:12.939577 2016] [authz_core:debug] [pid 7148:tid 2612]
mod_authz_core.c(806): [client 153.4.249.122:60169] AH01626: authorization
result of Require valid-user : denied (no authenticated user yet)
[Tue Sep 27 13:23:12.939577 2016] [authz_core:debug] [pid 7148:tid 2612]
mod_authz_core.c(806): [client 153.4.249.122:60169] AH01626: authorization
result of <RequireAny>: denied (no authenticated user yet)
[Tue Sep 27 13:23:12.939577 2016] [authnz_sspi:debug] [pid 7148:tid 2612]
mod_authnz_sspi_authentication.c(439): [client 153.4.249.122:60169]
SSPI00001: Entering authenticate_sspi_user()
[Tue Sep 27 13:23:12.955177 2016] [authnz_sspi:debug] [pid 7148:tid 2612]
mod_authnz_sspi_authentication.c(544): [client 153.4.249.122:60169]
SSPI00009: Authenticated user: utcaus\\loftism
[Tue Sep 27 13:23:12.955177 2016] [authz_svn:debug] [pid 7148:tid 2612]
mod_authz_svn.c(195): [client 153.4.249.122:60169] *Path to authz file is
E:/etc/.*
*svnaccess*[Tue Sep 27 13:23:12.955177 2016] [authz_svn:info] [pid 7148:tid
2612] [client 153.4.249.122:60169] *Access granted: 'utcaus\\loftism'
OPTIONS Beth_test:/*
On Tuesday, September 27, 2016 at 12:17:42 PM UTC-4, Mary Loftis wrote:
> I just tried accessing svn through TortoiseSVN and it is letting me access
> the repo too. I shouldn't be allowed access to it. So I don't think it is
> necessarily a trac problem but an Apache config problem. I'll have to do
> some more investigation to figure out why it is letting me into the svn
> repo. I thought I had been properly blocked by TortoiseSVN, but maybe I
> confused my prod Apache server with my test (upgraded) Apache server. Back
> to the drawing board.
>
> On Tuesday, August 23, 2016 at 11:59:05 AM UTC-4, Mary Loftis wrote:
>>
>> Platform: Windows Server 2008 R2
>> Apache 2.2.23 (win32)/SSL 1.0.0j upgrading to Apache 2.4.23 (win32)/SSL
>> 1.0.2h
>> CollabNet Subversion Client SVNServe 1.7.8
>> Trac 1.0.9 (win32)
>> Python 2.7.1
>>
>> On a Windows server, I had Subversion and Trac interacting nicely when
>> running Apache 2.2.23, Subversion 1.7.8 with Trac 1.0.9 and the mod_python
>> module. Access to Trac projects was permitted based on access control
>> groups defined in the subversion access control file. The setting of the
>> AuthzSVNAccessFile variable in the httpd.conf file pointed to the
>> subversion access control file, e:/etc/.svnaccess. If the user had access
>> to a subversion repo, then they had access to the associated Trac project,
>> otherwise access was denied.
>>
>> The httpd.conf file contained the following:
>>
>> <Location /trac>
>> SVNParentPath e:/svn_repository
>> AuthzSVNAccessFile "E:/etc/.svnaccess"
>> SetHandler mod_python
>> PythonHandler trac.web.modpython_frontend
>> PythonOption TracEnvParentDir e:\trac
>> PythonOption TracUriRoot /trac
>> AuthType SSPI
>> SSPIAuth On
>> SSPIOfferSSPI Off
>> SSPIAuthoritative On
>> SSPIDomain <domaincontroller>
>> SSPIOmitDomain Off
>> SSPIUsernameCase lower
>> SSPIPerRequestAuth On
>> SSPIOfferBasic On
>> AuthName "UTAS TRAC Login (Use domain\userid format)"
>> Require valid-user
>> </Location>
>>
>> I then had to upgrade Apache/SSL to 2.4.23, 1.0.2h. With this upgrade,
>> mod_python was obsoleted so I had to switch to use mod_wsgi load module. I
>> added in the mod_wsgi.so load module and modified the config file to remove
>> the Python-related settings (keeping the AuthzSVNAccessFile setting), and
>> adding in mod_wsgi info.
>>
>> After the Apache upgrade, the httpd.conf file contained:
>>
>> <Location /trac>
>> SVNParentPath e:/svn_repository
>> AuthzSVNAccessFile "E:/etc/.svnaccess"
>> AuthType SSPI
>> SSPIAuth On
>> SSPIOfferSSPI Off
>> SSPIAuthoritative On
>> SSPIDomain <domaincontroller>
>> SSPIOmitDomain Off
>> SSPIUsernameCase lower
>> SSPIPerRequestAuth On
>> SSPIOfferBasic On
>> AuthName "UTAS TRAC Login (Use domain\userid format)"
>> Require valid-user
>> </Location>
>>
>> WSGIScriptAlias /trac e:/trac/trac.wsgi
>>
>> <Directory "e:/trac">
>> WSGIApplicationGroup %{GLOBAL}
>> Order deny,allow
>> Allow from all
>> </Directory>
>>
>>
>> The e:/trac.wsgi has the following in it:
>>
>> import os
>> import trac.web.main
>> import site
>>
>> site.addsitedir('e:\Python\Lib\site-packages')
>>
>> os.environ['PYTHON_EGG_CACHE'] = r'c:\Trac-Python-Egg-Cache'
>>
>> def application(environ, start_response):
>> environ['trac.env_parent_dir'] = r'e:\trac'
>> return trac.web.main.dispatch_request(environ, start_response)
>>
>> The trac.ini file (for Beth_test project) has these critical sections,
>> same as before the Apache upgrade:
>>
>> [components]
>> tracopt.versioncontrol.svn.* = enabled
>> tracstats.* = enabled
>>
>> [repositories]
>> Beth_test.dir = e:\svn_repository\Beth_test
>> Beth_test.description = This is the ‘Beth_test’ project repository on the
>> Test svn server.
>> Beth_test.type = svn
>> Beth_test.url = https://<my_server>/svn/Beth_test
>> Beth_test.hidden = true
>> tsvn = tsvn: Interact with TortoiseSvn
>>
>> [trac]
>> authz_file = E:\etc\.svnaccess
>> permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy,
>> LegacyAttachmentPolicy
>> permission_store = DefaultPermissionStore
>> repository_dir = e:\svn_repository\Beth_test
>> repository_type = svn
>> …plus a bunch of other settings
>>
>>
>> My directory structure on the server is:
>>
>>
>> E:\svn_repository\
>>
>> Beth_test
>>
>> SVN_test
>>
>>
>> E:\trac\
>>
>> Beth_test
>>
>> SVN_test
>>
>>
>> When I bring up the Trac url after entering my active directory
>> credentials, I see the 2 Trac projects listed. However when I click on a
>> project, it gives me access to it even though I have not added my id to the
>> access control group associated with the subversion Beth_test repo. With
>> TortoiseSVN I am properly blocked, but with Trac using the mod_wsgi module,
>> I can (erroneously) access the Trac project and subsequently browse the
>> subversion source.
>>
>>
>> There is nothing useful in the Apache or Trac log files.
>>
>>
>> Any idea why Trac no longer follows the subversion access control
>> permissions after upgrading Apache and switching from mod_python to
>> mod_wsgi?
>>
>>
>>
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
