SVN, trailing slash in Location directive works on browser, but gives 403 error if removed

Question

I am setting up SVN on a Red Hat Linux machine. My scenario is that I have two projects in the same directory:

/var/www/svn/proj1
/var/www/svn/proj2

My subversion.conf has the following configurations:

<Location /svn/proj1>
    DAV svn
    SVNPath /var/www/svn/proj1
    AuthzSVNAccessFile /etc/svn_proj1-acl-conf
    AuthType Basic
    AuthName "Subversion repos"
    AuthUserFile /etc/svn-auth-conf
    Require valid-user
</Location>

<Location /svn/proj2/>
    DAV svn
    SVNParentPath /var/www/svn/proj2
    SVNListParentPath on
    AuthzSVNAccessFile /etc/svn_proj2-acl-conf
    AuthType Basic
    AuthName "Subversion repos"
    AuthUserFile /etc/svn-auth-conf
    Require valid-user
</Location>

For project1 my URL http://www.example.com/svn/proj1 works pretty good, but for project2 I need to add trailing slash in the end of URL, http://www.example.com/svn/proj2/ or else it doesn't return with a user/password window.

If I remove the trailing slash from the location directive,

<Location /svn/proj2>

then it starts giving a 403 Forbidden error, no matter if I use a slash or not in the browser.

I am using it with TortoiseSVN, but project2 isn't working at all.

What should I look at in configurations?

What happens if you specify the configurations for proj1 and proj2 in exactly the same way (with SVNPath instead of SVNParentPath for proj2)? Also, are your permissions on the server for /var/www/svn/proj1 and proj2 directories identical? — malenkiy_scot, May 17 '12 at 20:41

score 1 · Answer 1 · answered May 18 '12 at 02:06

Confused. Confused. Confused...

But, I'm easily confused...

You have two projects. The first one you use:

SVNPath /var/www/svn/proj1

and the second you use:

SVNParentPath /var/www/svn/proj2

Why is one SVNPath and the other SVNParentPath? There's a difference. You specify SVNPath when you refer to a particular repository. You use SVNParentPath when you refer to a directory that contains multiple repositories.

So, exactly what is your setup? I have a feeling that they both should be SVNPath.

By the way, I notice you have the same user list, but separate AuthzSVNAccessFile access files. Are you merely stopping people from committing, or are you preventing people from reading particular files and directories?

Normal practice is to allow users to see all files, but to prevent commit access. In that case, you may want to do that outside of Apache httpd, using my pre-commit hook. This allows you to do two things:

Turn off directory checking access which speeds up Subversion.
Change commit permissions without restarting Apache httpd.

You can then configure both directories in a single configuration:

<Location /svn>
    DAV svn
    SVNParentPath /var/www/svn
    SVNListParentPath on
    AuthType Basic
    AuthName "Subversion repos"
    AuthUserFile /etc/svn-auth-conf
    SVNPathAuthz off
    Require valid-user
</Location>

Of course, if you're using AuthzPath to prevent read access, you have to use the AuthzSVNAccessFile parameter. But, it makes things more complex, and it slows you down. I usually recommend against it unless users aren't suppose to be able to peek at each other repos (which is quite rare).

And, one more thing... Do your users have LDAP or Windows Active Directory accounts? If so, you can use that to determine Subversion repository access:

 LoadModule authnz_ldap_module   modules/authnz_ldap.so

 <Location /svn>
    DAV svn
    SVNParentPath /var/www/svn
        SVNListParentPath on
    AuthType basic
    AuthName "Subversion Repository"
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPURL "ldap://windomain.mycorp.com:3268/dc=mycorp,dc=com?sAMAccountName" NONE
    AuthLDAPBindDN "CN=svn_user,OU=Users,DC=mycorp,DC=com"
    AuthLDAPBindPassword "swordfish"
    Require ldap-group CN=developers,CN=Users,DC=mycorp,DC=com
</Location>

This way, if a user has a Windows account (or is in your LDAP database), and that user is in the developers group, they automatically have access to your Subversion repositories (note the SVNParentPath for both repos and any future ones). This way, you're not constantly adding and subtracting users out of your SVN AUthorization file. Plus, you're not constantly retrieving forgotten passwords.

Now, that's all your Windows administrator's responsibility. It's magic. I made your task their job. User doesn't have Subversion access? No longer your problem. More time to play Angry Birds.

One more tiny thing: I have a feeling you don't want to place your repository under /var/www for the simple reason that might be your document root. If you're not careful, you might be granting direct access to your Subversion repository directory.

You're better off putting them elsewhere and changing the SVNParentPath.

Thank you for the reply David, Yes, we require to keep users to their projects only. For testing purpose I have imitated the projec1 config for project2 DAV svn SVNPath /var/www/svn/proj2 AuthzSVNAccessFile /etc/svn_ngot-acl-conf AuthType Basic AuthName "Subversion repos" AuthUserFile /etc/svn-auth-conf Require valid-user Now the error has changed to "Could not open the requested SVN filesystem". What does this mean actually? Sorry, I am pretty new to SVN. Thanks again. Mani — Mani jeee, May 18 '12 at 20:15
@Manijeee Check the permission on the files and directories of your Subversion repository. They should be owned by the user running Apache (could be `apache` or `wwwrun` or `http` depending upon the distro). Make sure the permissions are set to `rwxr-xr-x` on all directories and files in the Subversion repository directory and all are owned by the user running Apache. — David W., May 18 '12 at 20:57
Thank you for the guidance and sorry for a late reply. I had been away from work for couples of days. Yes, the permissions were set as you mentioned. Given and taken the all rights too but it didn't work.... I have reverted back the configs. User can access their project by giving the complete URLhttp://www.mydomain/svn/proj2/myproject/. This has been sufficient enough for our requirement for now. Anyways, Thank you so much for all the help. Mani Jeee. — Mani jeee, May 22 '12 at 19:26

score 0 · Answer 2 · edited Dec 18 '16 at 23:54

0

The Location and SVNParentPath directive should have the same trailing slash rule: either with or without.

So it should be:

<Location /svn/proj2/>            <--- Here trailing slash (or not)
    [..]
    SVNPath /var/www/svn/proj2/  <--- Here same like Location
    [...]
</Location>

edited Dec 18 '16 at 23:54

Peter Mortensen

30,738
21
105
131

answered May 17 '12 at 22:18

Peter Parker

29,093
5
52
80

Thank you for the response Peter. I have tried this already, but it didn't change the situation. I added and removed trailing slashes from both location but of no use. – Mani jeee May 18 '12 at 17:36
1

The variable name should be SVNPath not SVNParentPath. – lszrh Sep 19 '14 at 10:32
@Lukas Schulze: Thanks for pointing this out! I corrected the Apache Statement – Peter Parker Sep 21 '14 at 11:38

SVN, trailing slash in Location directive works on browser, but gives 403 error if removed

2 Answers2

Linked