Ian Bicking: the old part of his blog

Help me please: Apache auth

I have a question about Apache authentication, which I'm hoping someone will be able to help me with.

I want a subversion repository where /home is less restrictive than anyplace else on the system. That is, I give many people access to /home, where they can make branches (of anything in the system) and drop experiments and whatnot. And I give a smaller set of people (everyone in the commit group) access to the entire repository.

But I can't figure out any way to relax permissions on a subdirectory. It's driving me nuts. I even tried hacks like <Location ~ "/(every|path|but|home)"> with a Require group commit and <Location /> with Require valid-user, but it just allowed anyone to commit anywhere. Unlike RewriteRule it seems like Location doesn't allow the prefixing of regular expressions with ! to indicate negation (so I can't use <Location ~ "!^/home">).

Any ideas?

Created 15 Jul '05

Comments:

Which ordering do you have in the Order directive?

You will need to write a stanza for all directories at the level for which you want relaxed permissions. A brief example:

consider the tree bar,baz,qux in foo using groups: elect and world 

Order Allow Deny
<Directory foo/bar>
 Require group elect
</Directory>
<Directory foo/baz>
 Require group world
</Directory>
<Directory foo/qux> #this lets anyone in!! it is wrong
 Require valid-user
 Require group elect
</Directory>

I find that when it comes to securing resources like this explicit is better than implicit ;-)

# Larry

If it's a Subversion repository: Why not use Subversion's own authorization feature? It'll easily accept what you want.

# Simon Percivall

I'd forgotten about that, I'll have to give that a look again.

# Ian Bicking

Check out: http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-sect-4.4

# Peter Fein

See: http://httpd.apache.org/docs/2.2/mod/core.html#require

Removing controls in subdirectories

The following example shows how to use the Satisfy directive to disable access controls in a subdirectory of a protected directory. This technique should be used with caution, because it will also disable any access controls imposed by mod_authz_host.

<Directory /path/to/protected/> Require user david </Directory> <Directory /path/to/protected/unprotected> # All access controls and authentication are disabled # in this directory Satisfy Any Allow from all </Directory>

# philc

See: http://httpd.apache.org/docs/2.2/mod/core.html#require Section: Removing controls in subdirectories

# philc