authz's inverted group access rules are only effective for users mentioned in authz

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

authz's inverted group access rules are only effective for users mentioned in authz

Pavel Goran
Hello mailing list,

I'm migrating a repository from an ancient Subversion installation:

svn, version 1.6.17 (r1128011)
compiled Jun  2 2011, 23:35:08
(on Windows)

to a recent version:

svn, version 1.11.0 (r1845130)
   compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu
(on NixOS Linux)

And I'm encountering a regression in handling of the authz file by svnserve.

Steps to reproduce:

# mkdir -p /data/svn

# cd /data/svn

# svnadmin create myrepo

# cat >>myrepo/conf/svnserve.conf <<'END'
[general]
anon-access = none
password-db = passwd
authz-db = authz
END

# cat >>myrepo/conf/passwd <<'END'
myuser = mypassword
otheruser = otherpassword
END

# cat >>myrepo/conf/authz <<'END'
readonly = otheruser

[/]
$anonymous =
~@readonly = rw
@readonly = r
END

# svnserve -r /data/svn -d

# svn --username myuser --password mypassword --no-auth-cache ls svn://localhost/myrepo
svn: E170001: Authorization failed

The user "myuser" is not included in group "readonly", so I expect the rule
"~@readonly = rw" to take effect, but apparently this doesn't happen.

This setup worked fine in the old installation (version 1.6.17). Also, it
starts working if I add the user "myuser" to any other group:

# in authz, [groups] section
unrelatedgroup = myuser

or use it in any access rule (even if the rule specifies no access):

# in authz, [/] section
myuser =

I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my
guess is that this behaviour results from not setting up user's rights with
a call to prepare_global_rights(). When a user is mentioned in authz, this
function gets called, and authorization starts working for the user.

Possibly correction of this problem could involve adding the new field
"unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this
field would receive access rights from all inverted user-related access
rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would
combine authz->has_unkn_rights with authz->has_authn_rights (instead of just
returning authz->has_authn_rights) when user_rights is NULL.

Pavel Goran

P.S. I'm not subscribed to the mailing list; please CC me directly when
replying.


Reply | Threaded
Open this post in threaded view
|

Re: authz's inverted group access rules are only effective for users mentioned in authz

Branko Čibej
On 26.11.2018 18:32, Pavel Goran wrote:

> Hello mailing list,
>
> I'm migrating a repository from an ancient Subversion installation:
>
> svn, version 1.6.17 (r1128011)
> compiled Jun  2 2011, 23:35:08
> (on Windows)
>
> to a recent version:
>
> svn, version 1.11.0 (r1845130)
>    compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu
> (on NixOS Linux)
>
> And I'm encountering a regression in handling of the authz file by svnserve.
>
> Steps to reproduce:

[...]

> # svnserve -r /data/svn -d
>
> # svn --username myuser --password mypassword --no-auth-cache ls svn://localhost/myrepo
> svn: E170001: Authorization failed
>
> The user "myuser" is not included in group "readonly", so I expect the rule
> "~@readonly = rw" to take effect, but apparently this doesn't happen.
>
> This setup worked fine in the old installation (version 1.6.17). Also, it
> starts working if I add the user "myuser" to any other group:
>
> # in authz, [groups] section
> unrelatedgroup = myuser
>
> or use it in any access rule (even if the rule specifies no access):
>
> # in authz, [/] section
> myuser =
>
> I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my
> guess is that this behaviour results from not setting up user's rights with
> a call to prepare_global_rights(). When a user is mentioned in authz, this
> function gets called, and authorization starts working for the user.
>
> Possibly correction of this problem could involve adding the new field
> "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this
> field would receive access rights from all inverted user-related access
> rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would
> combine authz->has_unkn_rights with authz->has_authn_rights (instead of just
> returning authz->has_authn_rights) when user_rights is NULL.
>
> Pavel Goran
>
> P.S. I'm not subscribed to the mailing list; please CC me directly when
> replying.

Thanks for the detailed report! Yes, this is indeed a bug. I see that
you've taken time to analyse the code; could you prepare a patch with
the fix you propose?

Also can you please create an issue in Jira:
https://issues.apache.org/jira/projects/SVN/


-- Brane

Reply | Threaded
Open this post in threaded view
|

Re: authz's inverted group access rules are only effective for users mentioned in authz

Branko Čibej
On 27.11.2018 10:41, Branko Čibej wrote:

> On 26.11.2018 18:32, Pavel Goran wrote:
>> Hello mailing list,
>>
>> I'm migrating a repository from an ancient Subversion installation:
>>
>> svn, version 1.6.17 (r1128011)
>> compiled Jun  2 2011, 23:35:08
>> (on Windows)
>>
>> to a recent version:
>>
>> svn, version 1.11.0 (r1845130)
>>    compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu
>> (on NixOS Linux)
>>
>> And I'm encountering a regression in handling of the authz file by svnserve.
>>
>> Steps to reproduce:
> [...]
>> # svnserve -r /data/svn -d
>>
>> # svn --username myuser --password mypassword --no-auth-cache ls svn://localhost/myrepo
>> svn: E170001: Authorization failed
>>
>> The user "myuser" is not included in group "readonly", so I expect the rule
>> "~@readonly = rw" to take effect, but apparently this doesn't happen.
>>
>> This setup worked fine in the old installation (version 1.6.17). Also, it
>> starts working if I add the user "myuser" to any other group:
>>
>> # in authz, [groups] section
>> unrelatedgroup = myuser
>>
>> or use it in any access rule (even if the rule specifies no access):
>>
>> # in authz, [/] section
>> myuser =
>>
>> I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my
>> guess is that this behaviour results from not setting up user's rights with
>> a call to prepare_global_rights(). When a user is mentioned in authz, this
>> function gets called, and authorization starts working for the user.
>>
>> Possibly correction of this problem could involve adding the new field
>> "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this
>> field would receive access rights from all inverted user-related access
>> rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would
>> combine authz->has_unkn_rights with authz->has_authn_rights (instead of just
>> returning authz->has_authn_rights) when user_rights is NULL.
>>
>> Pavel Goran
>>
>> P.S. I'm not subscribed to the mailing list; please CC me directly when
>> replying.
> Thanks for the detailed report! Yes, this is indeed a bug. I see that
> you've taken time to analyse the code; could you prepare a patch with
> the fix you propose?
>
> Also can you please create an issue in Jira:
> https://issues.apache.org/jira/projects/SVN/


I added a test case for this in r1847598, using the reproduction steps
described above.

-- Brane

Reply | Threaded
Open this post in threaded view
|

Re: authz's inverted group access rules are only effective for users mentioned in authz

Branko Čibej
On 27.11.2018 22:33, Branko Čibej wrote:

> On 27.11.2018 10:41, Branko Čibej wrote:
>> On 26.11.2018 18:32, Pavel Goran wrote:
>>> Hello mailing list,
>>>
>>> I'm migrating a repository from an ancient Subversion installation:
>>>
>>> svn, version 1.6.17 (r1128011)
>>> compiled Jun  2 2011, 23:35:08
>>> (on Windows)
>>>
>>> to a recent version:
>>>
>>> svn, version 1.11.0 (r1845130)
>>>    compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu
>>> (on NixOS Linux)
>>>
>>> And I'm encountering a regression in handling of the authz file by svnserve.
>>>
>>> Steps to reproduce:
>> [...]
>>> # svnserve -r /data/svn -d
>>>
>>> # svn --username myuser --password mypassword --no-auth-cache ls svn://localhost/myrepo
>>> svn: E170001: Authorization failed
>>>
>>> The user "myuser" is not included in group "readonly", so I expect the rule
>>> "~@readonly = rw" to take effect, but apparently this doesn't happen.
>>>
>>> This setup worked fine in the old installation (version 1.6.17). Also, it
>>> starts working if I add the user "myuser" to any other group:
>>>
>>> # in authz, [groups] section
>>> unrelatedgroup = myuser
>>>
>>> or use it in any access rule (even if the rule specifies no access):
>>>
>>> # in authz, [/] section
>>> myuser =
>>>
>>> I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my
>>> guess is that this behaviour results from not setting up user's rights with
>>> a call to prepare_global_rights(). When a user is mentioned in authz, this
>>> function gets called, and authorization starts working for the user.
>>>
>>> Possibly correction of this problem could involve adding the new field
>>> "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this
>>> field would receive access rights from all inverted user-related access
>>> rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would
>>> combine authz->has_unkn_rights with authz->has_authn_rights (instead of just
>>> returning authz->has_authn_rights) when user_rights is NULL.
>>>
>>> Pavel Goran
>>>
>>> P.S. I'm not subscribed to the mailing list; please CC me directly when
>>> replying.
>> Thanks for the detailed report! Yes, this is indeed a bug. I see that
>> you've taken time to analyse the code; could you prepare a patch with
>> the fix you propose?
>>
>> Also can you please create an issue in Jira:
>> https://issues.apache.org/jira/projects/SVN/
>
> I added a test case for this in r1847598, using the reproduction steps
> described above.

https://issues.apache.org/jira/browse/SVN-4793

-- Brane
Reply | Threaded
Open this post in threaded view
|

Re: authz's inverted group access rules are only effective for users mentioned in authz

Branko Čibej
On 28.11.2018 01:49, Branko Čibej wrote:

> On 27.11.2018 22:33, Branko Čibej wrote:
>> On 27.11.2018 10:41, Branko Čibej wrote:
>>> On 26.11.2018 18:32, Pavel Goran wrote:
>>>> Hello mailing list,
>>>>
>>>> I'm migrating a repository from an ancient Subversion installation:
>>>>
>>>> svn, version 1.6.17 (r1128011)
>>>> compiled Jun  2 2011, 23:35:08
>>>> (on Windows)
>>>>
>>>> to a recent version:
>>>>
>>>> svn, version 1.11.0 (r1845130)
>>>>    compiled Oct 29 2018, 14:33:24 on x86_64-unknown-linux-gnu
>>>> (on NixOS Linux)
>>>>
>>>> And I'm encountering a regression in handling of the authz file by svnserve.
>>>>
>>>> Steps to reproduce:
>>> [...]
>>>> # svnserve -r /data/svn -d
>>>>
>>>> # svn --username myuser --password mypassword --no-auth-cache ls svn://localhost/myrepo
>>>> svn: E170001: Authorization failed
>>>>
>>>> The user "myuser" is not included in group "readonly", so I expect the rule
>>>> "~@readonly = rw" to take effect, but apparently this doesn't happen.
>>>>
>>>> This setup worked fine in the old installation (version 1.6.17). Also, it
>>>> starts working if I add the user "myuser" to any other group:
>>>>
>>>> # in authz, [groups] section
>>>> unrelatedgroup = myuser
>>>>
>>>> or use it in any access rule (even if the rule specifies no access):
>>>>
>>>> # in authz, [/] section
>>>> myuser =
>>>>
>>>> I looked at the sources (subversion/libsvn_repos/authz_parse.c), and my
>>>> guess is that this behaviour results from not setting up user's rights with
>>>> a call to prepare_global_rights(). When a user is mentioned in authz, this
>>>> function gets called, and authorization starts working for the user.
>>>>
>>>> Possibly correction of this problem could involve adding the new field
>>>> "unkn_rights" (and "has_unkn_rights") to struct authz_full_t, so that this
>>>> field would receive access rights from all inverted user-related access
>>>> rules (~user, ~&alias, ~@group). Then, svn_authz__get_global_rights() would
>>>> combine authz->has_unkn_rights with authz->has_authn_rights (instead of just
>>>> returning authz->has_authn_rights) when user_rights is NULL.
>>>>
>>>> Pavel Goran
>>>>
>>>> P.S. I'm not subscribed to the mailing list; please CC me directly when
>>>> replying.
>>> Thanks for the detailed report! Yes, this is indeed a bug. I see that
>>> you've taken time to analyse the code; could you prepare a patch with
>>> the fix you propose?
>>>
>>> Also can you please create an issue in Jira:
>>> https://issues.apache.org/jira/projects/SVN/
>> I added a test case for this in r1847598, using the reproduction steps
>> described above.
> https://issues.apache.org/jira/browse/SVN-4793

Fixed: http://svn.apache.org/r1847922

-- Brane